Daily Brief

SK Telecom, South Korea's leading mobile operator, experienced a malware attack that exposed sensitive USIM-related customer data. Detected on April 19, 2025, the malware was identified during a weekend when staffing was reduced, potentially increasing vulnerability. The compromised data includes crucial USIM information such as IMSI, MSISDN, and authentication keys, which could be exploited for surveillance or SIM-swap attacks. Immediately upon discovery, SK Telecom removed the malware, isolated affected hardware, and reported the incident to Korea Internet & Security Agency (KISA) and the Personal Information Protection Commission. To date, there are no confirmed instances of misuse of the leaked information, although the full extent and origin of the breach are still under investigation. SK Telecom has enhanced security measures, including tightened controls on USIM swaps and abnormal authentication attempts, and introduced a USIM protection service to prevent unauthorized SIM changes. Customers are urged to enroll in the USIM protection service to safeguard against potential SIM card portability fraud.

Fog ransomware group incorporates satirical Elon Musk policy reference in updated ransom demands, demanding victims list their weekly accomplishments. The ransom note mimics a policy from Musk’s tenure as head of the US Department of Government Efficiency (DOGE), where federal employees must submit five-point recaps of their weekly achievements. The unusual demand in ransom notes reflects a trend of cybercriminals merging political satire with their illegal activities, possibly to mock victims and government inefficiencies. Fog ransomware, active for about a year, targets both Windows and Linux systems across multiple industries, but little is known about its origins or group composition. Trend Micro researchers have provided indicators of compromise and methods to defend against the Fog ransomware, highlighting the need for increased vigilance and protective measures. Speculation surrounds Elon Musk’s future with the US government, with reports suggesting Musk may resign from DOGE by May due to frustrations with political opposition. DOGE, under Musk’s guidance, aimed to drastically reform federal operations but has not reached its expected efficacy and budget-cutting goals.

Halcyon has launched the Threat Research Incentive Program (TRIP), allocating $250,000 to reward researchers for ransomware-specific intelligence. Each approved submission can earn researchers up to $10,000, aiming to aid the development of Halcyon's anti-ransomware technologies. The program's goal is to enhance ransomware prevention efforts by incorporating new intelligence into Halcyon's products rather than making all findings publicly available. The rewards program is structured into four tiers, with the most critical intel (Tier 1) yielding the highest payouts of up to $10,000. Salinas emphasized that while the program benefits the security community by rewarding independent research, the primary beneficiaries will be Halcyon and its customers. Submissions are vetted to ensure they do not inadvertently reveal victim identities or provide threat actors with insights that could compromise further investigations. Payouts are made through official, traceable channels, and researchers must verify their independence and lack of affiliation with sanctioned entities or ransomware groups.

Cybersecurity firms Darktrace and Cado Security have exposed a new malware campaign which exploits Docker environments to mine cryptocurrency. The malware leverages an innovative method where it falsely interacts with the Web3-based Teneo service to generate rewards, bypassing traditional direct crypto mining approaches. Teneo operates a decentralized platform where participants can earn points by running nodes that scrape social media data; however, the malware fakes activity to accumulate points without real data scraping. The offending Docker container, labeled "kazutod/tene:ten", contains an obfuscated Python script that interacts with Teneo's system just enough to mimic activity and earn rewards. The malware’s strategy includes sending keep-alive pings to simulate engagement, exploiting the system's reward for 'heartbeat' actions rather than actual data scraping. This Docker-based approach is part of a broader trend of cybercriminals moving away from easily detectable mining tools like XMRig to more surreptitious methods of exploiting computing resources for financial gain. The discovery also aligns with recent findings of increased botnet activities and IoT device exploitations aimed at conducting DDoS attacks, highlighting ongoing vulnerabilities in network security.

The official Ripple xrpl.js library was hacked, leading to theft of XRP wallet seeds and private keys. Malicious code targeted versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of the xrpl NPM package, affecting downloads made within a specific one-hour period. A method called checkValidityOfSeed was added to these versions to forward sensitive data to an attacker-controlled server. This supply chain attack is not unique, following similar breaches in other blockchain ecosystems like Ethereum and Solana. Users are advised to immediately upgrade to the clean version 4.2.5 and consider key rotation or disabling compromised keys as per XRP Ledger documentation. Despite relatively low download numbers, the widespread use of the xrpl.js library means potential access to a large number of wallets. The malicious additions were likely made using compromised developer credentials and did not appear in the public GitHub repository, indicating a breach during the NPM publishing process.

Marks & Spencer (M&S) has notified the London Stock Exchange of a "cyber incident" impacting their operations. The specific details and nature of the incident were not disclosed, but it has been affecting customer orders for the past few days. M&S's Click & Collect service experienced disruptions, though their stores remain open, and their website and app are operating normally. Customers were informed via email about potential delays with their Click & Collect orders but were advised that no immediate actions were needed on their part. The retailer has made "minor, temporary changes" to its store operations to safeguard customer and business interests. M&S has engaged external experts for incident management and reported the situation to the National Cyber Security Centre and the Information Commissioner's Office. Social media reports from customers mentioned issues with service availability as early as Saturday, indicating possible earlier impacts of the cyber incident.

The United Nations reports that the epidemic of scam call centers, primarily rooted in Southeast Asia, is now a global issue, with operations expanding as criminal syndicates adapt and spread internationally. Recent crackdowns in Asia have led to these criminal groups relocating their operations to areas with weaker governance, including South America, Africa, and parts of Europe. These operations not only involve scam calls but also encompass money laundering and human trafficking, with estimated annual earnings between $27.4 and $36.5 billion. The UN highlighted that these criminal networks are now using online platforms to broaden their reach and are increasingly involved in other forms of cyber-enabled fraud, such as online gambling. Law enforcement agencies in several African and South American countries have conducted operations resulting in the arrest of numerous individuals linked to these scam operations. Syndicates are reportedly setting up physical operations in strategic locations, including Georgia and Turkey, to facilitate their fraudulent activities and recruitment efforts. The UNODC has urged governments across the world to strengthen their regulatory frameworks and enhance their law enforcement capabilities to combat the proliferation of these crime networks effectively.

Varonis security researchers unveiled a proof-of-concept attack, named "Cookie-Bite," utilizing a malicious Chrome extension to steal Microsoft Azure session cookies. The attack specifically targets Azure Entra ID cookies 'ESTAUTH' and 'ESTSAUTHPERSISTNT', useful for bypassing multi-factor authentication and maintaining prolonged access to services like Microsoft 365. Once the 'ESTAUTH' and 'ESTSAUTHPERSISTNT' cookies are exfiltrated, attackers can import them via legitimate extension tools to gain unauthorized access under the victim's credentials. Microsoft's conditional access policies and monitoring of unusual login activities, such as those originating from a VPN, are crucial in identifying and mitigating such credential theft. The stealth and persistence of the Cookie-Bite attack emphasize the need for stricter policies on browser extension management and development mode restrictions in enterprise environments. This type of session cookie theft isn't new but poses significant risks due to the potential for extensive unauthorized access, including email infiltration and internal system manipulation.

Cybersecurity researchers at Tenable identified a critical vulnerability in Google Cloud Platform's Cloud Composer service, nicknaming it ConfusedComposer. ConfusedComposer could let attackers with edit permissions escalate access to GCP’s default Cloud Build service account, granting them high-level permissions. Attackers could exploit the vulnerability by injecting malicious Python Package Index (PyPI) packages into a Cloud Composer environment. This flaw demonstrates how interaction between cloud services can lead to inherited security issues, known as the "Jenga" effect. Successful exploitation would allow attackers access to sensitive GCP services like Cloud Storage and Artifact Registry, potentially leading to data theft or service disruption. Google has patched this vulnerability by altering how PyPI packages are installed, using the environment's service account instead of the Cloud Build account. The update affects existing Cloud Composer 2 environments and is already implemented in new Cloud Composer 3 setups. This disclosure follows another recent vulnerability identified in Microsoft Azure and a bug in Microsoft Enra ID, highlighting ongoing security challenges in major cloud platforms.

The web browser is now a primary endpoint in enterprise environments, heavily utilized but largely unmonitored. Over 70% of recent malware attacks originate from activities within browsers, exploiting their lack of visibility to security tools. Phishing attacks and malware can bypass conventional defenses like firewalls and endpoint detection by operating directly within the browser environment. Generative AI tools and third-party browser extensions are introducing new security vulnerabilities, often without clear boundaries or sufficient oversight. Traditional Data Loss Prevention (DLP) systems are inadequate for modern, browser-intensive workflows, failing to detect the nuanced data movement within applications. Shadow IT is proliferating through browsers as employees adopt unsanctioned SaaS applications and AI tools, significantly increasing enterprise security risks. The Keep Aware report highlights the urgent need for security strategies that incorporate browser-native visibility and control mechanisms to effectively protect enterprise data and operations.

Threat actors orchestrated an advanced phishing scheme leveraging Google Sites and DKIM replay to bypass email security and harvest credentials. Emails, appearing legitimate and signed, misled recipients by directing them to a fraudulent Google Sites URL under the guise of legal subpoenas. The counterfeit Google Support page on this URL tricked users into entering their Google account information on a fake sign-in page. Attackers cleverly maintained the legitimacy of the emails by manipulating "Signed by" headers, despite having unrelated "Mailed by" headers. The phishing technique involved creating a Google OAuth application with deceptive permissions, making forwarded emails bypass security checks. Despite Google's efforts to mitigate such threats by updating security measures, the incident highlights ongoing vulnerabilities in email communication systems. Google recommends users bolster their security by adopting two-factor authentication and passkeys to defend against such phishing attacks. This attack points to a broader trend of increasing sophistication in phishing techniques, including misuse of various attachment formats like SVG.

Microsoft has transitioned its Microsoft Account (MSA) and Entra ID signing services to Azure confidential virtual machines to improve security. This security upgrade responds to vulnerabilities exploited by the Storm-0558 China-based nation-state actor, which resulted in the breach of numerous companies. Since the attack, Microsoft has enhanced MSA and Entra ID with Azure Managed HSM service to rotate access token signing keys securely. Over 90% of Microsoft Entra ID identity tokens are now validated by a hardened identity SDK, and 92% of employee accounts use phishing-resistant MFA. The company is isolating production systems, enforcing two-year retention for security logs, and protecting production code branches with MFA protocols. A pilot project is ongoing to isolate customer support workflows into a dedicated tenant to further secure sensitive operations. These changes are part of the Secure Future Initiative (SFI), described by Microsoft as the largest cybersecurity engineering project in its history. This initiative followed a critical report by the U.S. Cyber Safety Review Board on Microsoft's security lapses, which facilitated the 2023 Storm-0558 attacks.

Lotus Panda, identified as a China-linked cyber espionage group, compromised various organizations in Southeast Asia from August 2024 to February 2025. The targeted entities included governmental ministries, air traffic control, a telecom operator, and a construction company, revealing a broad scope of interest. Symantec reported the use of novel customized tools like loaders, credential stealers, and a reverse SSH tool in these sophisticated attacks. Other targets spanned across Southeast Asia, impacting a news agency and an air freight organization in neighboring countries. Previous disclosures link Lotus Panda to widespread campaigns targeting sectors such as government, manufacturing, telecommunications, and media across multiple Asian regions. The recent campaign utilized legitimate executables from known software like Trend Micro and Bitdefender to sideload malicious DLLs, facilitating further exploits. Advanced tools deployed in the operations included ChromeKatz and CredentialKatz for stealing browser credentials, and a tool called Zrok for remote access, showcasing a high level of technical sophistication. This consistent pattern of cyber espionage highlights Lotus Panda's ongoing threat to national security and critical infrastructure in the region.

A security flaw in SSL.com's domain validation system enabled unauthorized issue of digital certificates. The vulnerability was exploited by creating a DNS TXT record with a false contact email, tricking SSL.com into issuing certificates for domains not owned by the requester. SSL.com has since revoked 11 mistakenly issued certificates, including one for Alibaba's cloud domain, aliyun.com. The exploit was demonstrated by a researcher using the handle "Sec Reporter," who was able to obtain certificates for domains without proper authorization. SSL.com has disabled the faulty domain control validation (DCV) method and is working on a fix, with a full incident report due by May 2. The issued certificates could have been used for malicious purposes such as spoofing legitimate sites and conducting man-in-the-middle attacks. SSL.com is treating the incident with high priority and thanked the researcher for highlighting the critical vulnerability.

Generative AI models can now develop proof-of-concept (PoC) exploit code within hours of vulnerability disclosure, significantly reducing the time defenders have to react. Matthew Keely from ProDefense used AI to create a working exploit for a critical SSH library vulnerability in Erlang, leveraging code from a recently published patch. AI's use in cybersecurity isn't new; similar technologies have been used to identify and exploit vulnerabilities by analyzing descriptions and commit changes. The initial AI-generated exploit code required fixes, demonstrating that while AI can speed up the process, it may still need human intervention for complex tasks. The capability of AI to shorten the attack cycle underlines the necessity for faster and more automated responses in cybersecurity defenses. Enterprises are advised to assume that any vulnerability disclosure could be immediately exploited, necessitating readiness for swift response and patch implementation. The increased speed of threat propagation and exploitation calls for higher levels of coordination among defenders, emphasizing the need for enhanced security strategies in modern DevOps environments.