Daily Brief

Iranian threat group UNC2428 deployed MURKYTOUR malware via fake job recruitment campaign targeting Israel. Malicious campaign mimicked Israeli defense contractor Rafael to lure victims into downloading a disguised installer. The installer, called LONEFLEET, featured a graphical user interface prompting victims to enter personal data and submit resumes, triggering the malware. The backdoor, once launched, provided the attackers persistent access to the victims' systems. Mandiant linked the activity to broader Iranian cyber espionage efforts against various Israeli sectors. This malicious operation was part of a pattern of diverse cyber threats from Iran, including other groups using phishing and malware to gather intelligence. The report highlighted the use of legitimate-looking interfaces and cloud infrastructure by Iranian actors to avoid detection and maintain payload delivery. Over 20 different malware families were identified as part of Iranian cyber operations in the Middle East in 2024.

Stolen credentials have surpassed email phishing as the most common method for initial access in cyberattacks, particularly in cloud environments. Mandiant's 2025 report indicates a significant increase in the use of stolen credentials, accounting for 35% of cloud compromises. Financially motivated attacks constituted 55% of the observed cyber activities in 2024, with only 8% related to espionage, marking a shift from previous years. The report tracked a new high of 737 threat clusters in 2024, showing the expanding scope and complexity of cyber threats. Ransomware attacks often began with brute-force methods, but stolen credentials played a substantial role in gaining initial entry. The resurgence of infostealer malware contributes to the high incidence of credential theft, compromising both personal and corporate data security. Multi-factor authentication (MFA) is stressed as a critical defense, highlighting the gaps in security where MFA is not enabled. The report emphasizes the need for heightened security measures across both personal devices and corporate networks to combat these evolving cyber threats.

Cybersecurity researchers discovered Android spyware disguised as Alpine Quest mapping software aimed at Russian military personnel. The spyware, known as Android.Spy.1292.origin, was embedded in older versions of Alpine Quest Pro and distributed via Russian Android app catalogs and a fake Telegram channel. Once installed, the malware mimics the legitimate app, remaining undetected while transmitting sensitive data such as location changes and supporting the theft of files sent via communication apps like Telegram and WhatsApp. The malware's capabilities can be expanded by downloading additional modules allowing for a broader range of malicious activities. To protect against such threats, users are advised only to download apps from reputable sources and to be wary of downloading unofficial "free" versions of paid apps. Separately, Kaspersky reported that Russian organizations across government, finance, and industrial sectors are targeted by a sophisticated backdoor masquerading as an update for ViPNet secure networking software. The backdoor, embedded within LZH archives, is capable of stealing files and launching additional malicious components from infected computers.

Phishing attacks are increasingly leveraging identity-based techniques, with phishing-linked stolen credentials now the primary cause of breaches. Traditional detection controls like Secure Email Gateways and network layers are being bypassed by attackers using sophisticated methods such as malvertising and multi-channel attacks. Browser-based detection offers a new frontier in responsibility for phishing defense, focusing directly on the content within the browser environment. In-browser security tools can analyze dynamic web pages and JavaScript, enabling detection of tactics, techniques, and procedures (TTPs) instead of just indicators of compromise (IoCs). Real-time interception of phishing attempts is feasible with browser-based solutions that observe user interactions directly on malicious pages. Such advancements in detection from within the browser help shut down phishing attacks before they cause harm, contrary to the delayed response of non-browser solutions. Push Security's browser extension is highlighted as a proactive tool in real-time phishing prevention, offering comprehensive protection against varied identity attack techniques.

Russian-linked cyber actors are aggressively targeting entities tied to Ukraine and human rights, focusing on unauthorized access to Microsoft 365 accounts. They employ sophisticated social engineering tactics involving Microsoft OAuth 2.0 Authentication workflows to deceive victims into providing Microsoft-generated OAuth codes. The attackers use compromised identities, impersonating European political officials and leveraging platforms like Signal and WhatsApp to coordinate meetings and share malicious links. These tactics enable the attackers to generate Microsoft Authentication Tokens, gaining control over victims' Microsoft 365 accounts. The targeted attacks have been linked to several Russian threat groups, with potential connections to known entities like APT29. Methods involve redirecting victims to manipulated URLs that appear as legitimate Microsoft login portals, where the OAuth authorization codes are harvested. Once the OAuth code is shared, attackers can register a new device to the victim's Microsoft Entra ID, potentially gaining permanent account access. Organizations are advised to increase awareness of phishing attacks, audit newly registered devices, and tighten conditional access policies to mitigate these threats.

Former NSA head Mike Rogers emphasizes the importance of integrating security into AI development from the start to avoid later vulnerabilities. Rogers highlighted past failures in cybersecurity where systems lacked built-in security, leading to costly retrofits and increased risks. At the Vanderbilt Summit, he discussed potential dangers of not securing AI, ranging from data leaks to biased algorithms impacting critical decisions. The U.S. Cybersecurity and Infrastructure Security director encouraged secure practices by having technology vendors sign the Secure By Design Pledge. Contrasting policies between the Biden and Trump administrations show differences in handling AI regulation and tech company liabilities. Rogers references Project Maven to illustrate the significance of aligning technology with ethical and practical usage, pointing out the cultural divide between government objectives and tech company values. Historical shifts in Google’s AI policies reflect broader changes in the tech industry's approach to ethical considerations in AI applications.

The Trump administration has been accused of severely undermining America's cyber defenses, including the possible lapse of the crucial Common Vulnerabilities and Exposures (CVE) database due to lack of funding and support. CISA, the agency responsible for the CVE, faced significant budget and staff cuts, jeopardizing the continuity of the CVE database system, which is set to run out in March 2026. Key figures like General Timothy D. Haugh, who played a critical role in national cyber defense, were dismissed under the administration, further weakening the cybersecurity framework. Cybersecurity advisory bodies such as the Cyber Safety Review Board were effectively disbanded, halting investigations into major cyber incidents like the "Salt Typhoon" hacks. The administration promoted the decentralization of cyber defense responsibilities to state and local levels, potentially increasing vulnerabilities due to inconsistent capabilities across states. Critical federal cybersecurity grant programs saw funding cuts, impacting the ability to hire and maintain skilled cybersecurity professionals at the state level. The administration's approach has raised concerns about the security of sensitive federal systems and data, with risky implications for national and individual security.

Ripple's npm JavaScript library, xrpl.js, was compromised, affecting versions 4.2.1 through 4.2.4 and 2.14.2. Attack orchestrated through software supply chain mechanism aimed at exfiltrating private keys from users. The malicious code was added by a user named "mukulljangid", suspected to be a hacked Ripple employee's account. A particular backdoor function, checkValidityOfSeed, transmitted stolen data to an external domain. Over 2.9 million downloads of xrpl.js with significant weekly activity raise concerns about extensive exposure. No evidence found of compromise on the associated GitHub repository, attack confined to the npm package versions. Updated package versions 4.2.5 and 2.14.3 released to rectify malicious alterations and secure user data. Users are urged to upgrade immediately to the latest versions to avert potential security risks.

Google has decided against introducing a new standalone prompt for third-party cookies in Chrome, continuing with its existing setup within the browser's Privacy and Security Settings. This decision is part of Google's broader Privacy Sandbox initiative, which balances user privacy enhancements with feedback from industry stakeholders. Instead of deprecating third-party tracking cookies, Google is focusing on enhancing privacy features in Incognito mode, which already blocks these cookies by default. A significant upcoming feature in Chrome’s Incognito mode is the IP Protection feature slated for release in Q3 2025, aiming to hide users' original IP addresses to prevent cross-site tracking. Google's approach reflects the divergent perspectives among publishers, developers, regulators, and the advertising industry regarding changes to third-party cookie usage. The company plans to continue engaging with the industry to refine its Privacy Sandbox technologies and will update its strategic roadmap in the months to come. Notably, Google's strategy differs from competitors like Apple Safari and Mozilla Firefox, which have blocked third-party cookies by default since 2020, as Google juggles its roles as a browser vendor, advertising platform, and search engine. These changes come amidst intense regulatory scrutiny of Google’s market influence in search and advertising, including recent U.S. Department of Justice proposals to potentially divest parts of its business.

Marks & Spencer (M&S) has experienced a cyberattack affecting its operations and Click and Collect service. Despite the ongoing incident, M&S stores, website, and app remain functional, assuring minimal disruption to everyday consumer access. The company engaged external cybersecurity experts to assist with the investigation and management of the cyber incident. M&S has reported the incident to data protection supervisory authorities and the National Cyber Security Centre. Customers have been advised of potential delays with the Click and Collect service and to await notification before pickup. M&S has issued an apology for the inconvenience caused by the cyberattack and is actively working to resolve the disruptions. No specific details about the nature of the cyberattack or the identity of the attackers have been disclosed as yet.

A zero-day remote code execution (RCE) vulnerability in Active! Mail is actively exploited, predominantly affecting large Japanese organizations. Active! Mail, a web-based email client used by over 11 million accounts in Japan, suffers from a critical stack-based buffer overflow issue. The flaw, identified as CVE-2025-42599 with a CVSS v3 score of 9.8, potentially allows arbitrary code execution or causes a denial-of-service condition. Following the vulnerability disclosure, IT service providers like Kagoya Japan and WADAX reported attacks, leading to temporary service suspensions. Japan's CERT confirms the exploitation and has issued an update recommendation to mitigate risks associated with the vulnerability. Security experts from Macnica noted at least 227 Active! servers exposed online, including 63 in educational institutions, heightening the risk of cyber attacks. Companies unable to immediately implement the update are advised to configure Web Application Firewalls (WAF) to inspect and manage HTTP requests to prevent exploitation.

Google has decided to continue using third-party cookies in Chrome, abandoning its Privacy Sandbox initiative aimed at enhancing user privacy. This reversal comes after opposition from advertising technology rivals and regulatory pressures, with concerns that the Sandbox would unfairly advantage Google's already dominant ad services. Third-party cookies, criticized for compromising privacy by tracking users across multiple sites, will remain integral to Chrome's functionality. Privacy Sandbox, announced in 2019, was intended to replace third-party cookies with a system that still allows targeted ads while complying with rising privacy regulations. Google had planned an opt-in screen allowing users to choose between the Privacy Sandbox or traditional third-party cookies, but this has now been scrapped. Some components of the Privacy Sandbox, like the IP Protection scheme, will still be implemented, aiming for a Q3 2025 deployment. Critics like the Electronic Frontier Foundation accuse Google of prioritizing its business model over user privacy, especially when compared to other browsers that block third-party cookies by default. Google asserts that it will work with industry stakeholders to revise its roadmap and possibly continue developing other Privacy Sandbox technologies.

A hacking group called 'Elusive Comet' is exploiting Zoom's remote control feature to access and steal cryptocurrency from users. The group employs social engineering tactics, mimicking methodologies used by the Lazarus group in the recent $1.5 billion Bybit crypto heist. Victims are lured into a phony interview setup via Zoom, orchestrated through convincingly fraudulent Bloomberg or crypto-focused journalist profiles on X or emails. During the call, attackers trick victims by renaming their display name to "Zoom," prompting them to grant remote access under the guise of a legitimate Zoom request. Once access is granted, attackers can control the victim’s system, enabling them to extract sensitive data, install further malware, and complete unauthorized cryptocurrency transactions. Trail of Bits, the cybersecurity firm reporting this issue, uncovered the scam after their CEO was targeted and suggests stringent control measures including avoiding Zoom for high-security environments. Recommendations for defense include implementing specific Privacy Preferences Policy Control profiles to block unsolicited access requests.

Bob Lord and Lauren Zabierek, both key figures in CISA, announced their resignations, specifically highlighting their involvement in the Secure by Design program. The Secure by Design initiative focused on enhancing cybersecurity by requiring software makers to integrate better security features from the initial stages of development. Zabierek's mission included persuading over 250 software companies to commit to better security practices, like implementing multi-factor authentication. The resignations occur as CISA faces significant workforce reductions, with potential cuts impacting up to 40% of its staff due to budget constraints imposed by the Trump administration. Concerns are rising about a "brain drain" at CISA that may weaken U.S. national cybersecurity, especially as the program changes under current administration were hinted. Recent cuts at CISA include a 50% reduction in funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the discontinuation of multiple advisory committees focused on cybersecurity.

SK Telecom, South Korea's leading mobile operator, experienced a malware attack that exposed sensitive USIM-related customer data. Detected on April 19, 2025, the malware was identified during a weekend when staffing was reduced, potentially increasing vulnerability. The compromised data includes crucial USIM information such as IMSI, MSISDN, and authentication keys, which could be exploited for surveillance or SIM-swap attacks. Immediately upon discovery, SK Telecom removed the malware, isolated affected hardware, and reported the incident to Korea Internet & Security Agency (KISA) and the Personal Information Protection Commission. To date, there are no confirmed instances of misuse of the leaked information, although the full extent and origin of the breach are still under investigation. SK Telecom has enhanced security measures, including tightened controls on USIM swaps and abnormal authentication attempts, and introduced a USIM protection service to prevent unauthorized SIM changes. Customers are urged to enroll in the USIM protection service to safeguard against potential SIM card portability fraud.