Daily Brief

In a major international effort, Europol has dismantled "Kidflix," a significant provider of child sexual abuse material (CSAM) with operations running from April 2022 to March 2025. As part of Operation Stream, authorities from 38 countries were involved, identifying 1,393 individuals linked to Kidflix through payment transaction analysis. To date, 79 arrests have been made, with some suspects prosecuted for both distribution and direct abuse of children. The platform, which began in 2021, had amassed approximately 91,000 unique videos and 190,000 registered users who engaged with the site by uploading CSAM and earning tokens for viewing. During the raid on March 11, 2025, law enforcement seized the server hosting around 72,000 videos at the time. Over 3,000 electronic devices were confiscated, and despite significant arrests, many users of the platform still remain unidentified. The European Commission is using these developments as part of a broader initiative termed ProtectEU aimed at enhancing cybersecurity and dealing effectively with encrypted data lawfully.

Keith O'Brien, the former global payroll compliance manager at Rippling, admitted to being co-opted into spying for Deel, a competitor. Deel's CEO Alex Bouaziz allegedly concocted a plan for O'Brien to provide confidential data from Rippling, offering him about 5000 euros monthly. The scheme included covert communications via Telegram, payment through Revolut, and documentation tactics to avoid a paper trail, later shifting to cryptocurrency. Rippling sued Deel in U.S. federal court and Ireland for theft of trade secrets and espionage, supported by O'Brien's affidavit detailing the covert operations. O'Brien attempted to destroy evidence by resetting and then physically damaging his phone as advised by a Deel attorney. Rippling set a trap using a Slack channel named “#d-defectors,” which successfully exposed O'Brien as the internal spy. Facing legal repercussions, O'Brien eventually cooperated with Rippling’s legal team, leading to his firing but sparing him from further prosecution. The ordeal culminated in O'Brien confessing to making false allegations under Deel’s direction and his decision to come clean reflecting severe personal turmoil.

openSNP, a platform for sharing genetic and phenotypic data, is set to shut down on April 30, 2025, due to heightened privacy concerns. The founder, Bastian Greshake Tzovaras, cited risks of data misuse potentially by authoritarian regimes as a key reason for the closure. Originally, openSNP aimed to democratize genetic data access, countering the dominance of commercial DNA testing firms. Despite being a crucial resource in research and education, the recent bankruptcy of 23andMe has significantly halted new data contributions to openSNP. The increase in interest from private forensics, law enforcement, and government in accessing such data has made it ethically and politically risky to maintain the platform. OpenSNP has decided deleting all stored data is the most responsible way to handle user submissions under current societal conditions. Users have until the shutdown date to download their data if needed; however, post-shutdown, no further access to the data will be available, reducing the risk of misuse through data scraping.

Verizon's Call Filter API vulnerability allowed unauthorized access to other users' incoming call histories. Discovered by security researcher Evan Connelly on February 22, 2025, with a fix implemented by Verizon in the following month. The Call Filter app comes pre-installed on Verizon Android and iOS devices and is used by millions. The flaw involved an unsecured endpoint that did not verify the phone number in the JWT payload against the requested call logs. This could have implications for privacy, enabling potential surveillance of a user’s routines, contacts, and relationships using their call metadata. The breach potentially exposed sensitive information of high-value targets like politicians, journalists, and law enforcement officials. It is unclear how long the vulnerability existed or if it was exploited, as no rate limiting or API gateway protection was noted. The API was hosted on a server by Cequint, raising concerns about the security practices around handling telecommunication data.

Hunters International, a notorious ransomware group, has announced a strategy shift from ransomware to purely extortion-based tactics due to increasing risks and lower profitability. The gang is rebranding to "World Leaks" and has already launched a dark web page focusing on data theft and extortion, avoiding the use of ransomware. Despite the strategic pivot, conflicting messages suggest that Hunters International might still be active under its original operation or there might be confusion due to a split within the group. Leading figures in the group cited heightened law enforcement actions and new designations of ransomware operations as terrorism as key reasons for moving away from ransomware. Researchers from Group-IB reported that despite initial technical issues, World Leaks is operational but has yet to claim any victims. The new strategy includes offering affiliates custom data exfiltration tools and a share in the profits, emphasizing a less detectable approach to cybercrime. This shift follows a broader trend in the cybercriminal community, where many are moving away from ransomware due to increased legal and operational pressures.

GitHub updated its Advanced Security platform following the discovery of over 39 million secrets leaked from repositories in 2024. Leaked items included API keys, passwords, and tokens, posing significant security risks to users and organizations. GitHub attributes the frequent secret leaks to the prioritization of convenience by developers and accidental exposure in git history. GitHub’s Advanced Security updates include new measures and enhancements that can now be purchased as standalone products for scalable security. Push Protection is emphasized to block secret leaks at the repository level before they occur and is set by default on all public repositories. Users are encouraged to eliminate hardcoded secrets in source code, utilizing environment variables, secret managers, or vaults instead. GitHub also stresses the integration of tools with CI/CD pipelines and cloud platforms to manage secrets programmatically and minimize human error. Guidance is available through GitHub’s 'Best Practices' guide for managing secrets from start to end effectively.

Microsoft has launched hotpatch updates for Windows 11 Enterprise 24H2 on x64 systems which allow installing OS security updates without rebooting. Hotpatch updates can be deployed in the background by patching the in-memory code of running processes. Users can create a hotpatch-enabled quality update policy through Windows Autopatch via the Microsoft Intune console. Hotpatch updates will be offered quarterly and are designed to reduce downtime by eliminating the need for device restarts eight months out of twelve. To use hotpatch updates, businesses require a Microsoft subscription, a compatible Windows 11 Enterprise 24H2 PC, and Virtualization-based Security (VBS) enabled. Hotpatch updates for Arm64 devices are still in public preview, but administrators can modify settings to make these devices eligible. Standard monthly security updates will continue for devices running Windows 10 and Windows 11 versions up to 23H2. The hotpatching capability was first tested on Windows Server Azure Edition before being introduced to Windows client systems.

Royal Mail is looking into claims of a security incident involving Spectos GmbH, their third-party data service provider, after a data leak of 144GB allegedly from their systems. The leaked data includes personal information of Royal Mail customers, internal documents, and recorded meetings, among other sensitive information. Spectos confirmed a cyber attack initiated on March 29, 2025, leading to unauthorized customer data access, the extent of which is under forensic investigation. Hudson Rock reported that attackers accessed Royal Mail systems using credentials from a Spectos employee compromised in a 2021 malware attack. The breach has not impacted Royal Mail's operational capabilities, and services are continuing as usual despite the incident. Royal Mail has previously experienced cyber challenges, including a severe disruption in 2023 due to a ransomware attack by LockBit, affecting international shipping. Current breach investigations seek to ascertain the full scope and potential consequences of the leaked customer data.

Oracle faced criticism for its handling of communications during two reported data security incidents. Initially, Oracle denied allegations of a breach on March 20, claiming no Oracle Cloud customers were affected. Subsequent investigations and expert opinions suggested otherwise, pointing to potential deceptions and semantic nuances in Oracle's statements. Reports emerged of Oracle allegedly using archive exclusion processes to remove evidence of the breaches from the internet. Despite denials, leaked communications from Oracle Health indicated a breach involving stolen legacy data. The company's communication strategy has been described as a failure in transparency, potentially damaging its reputation. Experts emphasize the importance of clear and honest communications in managing the fallout from cybersecurity incidents. Oracle's response to these incidents contrasts starkly with best practice guidelines for transparent incident disclosures.

Infinidat focuses on enabling rapid recovery from cyberattacks through their enterprise storage solutions. Immense reliance on large data volumes for modern workloads necessitates robust data restoration systems. InfiniSafe features, including immutable snapshot recovery and air-gapped environments, ensure quick and secure data recovery. The use of AI and deep machine learning expedites the recovery process, fulfilling stringent SLA requirements. Integration with third-party SOC, SIEM, and SOAR platforms via APIs enhances automated cyber protection. InfiniSafe’s AI capabilities help detect malware or ransomware in data snapshots. The InfiniBox storage array delivers guaranteed immutable snapshot recovery in under a minute. This advanced technology is aimed at minimizing downtime and promoting business resilience against cyber threats.

KidFlix, a major child sexual exploitation platform on the dark web, was shut down on March 11 by German law enforcement. This international action, named Operation Stream, was supported by Europol and involved various national agencies. Since its inception in 2022, Operation Stream has led to 79 arrests and identified 1,393 suspects, seizing over 3,000 electronic devices. Approximately 1.8 million users worldwide accessed KidFlix, which hosted around 72,000 videos of child abuse material. Information regarding suspects has been shared across 35 countries, enhancing global cooperation against child exploitation. The platform, unique in its streaming capability, used a token system where users earned and spent tokens to view videos. Law enforcement efforts highlighted the prevalence of repeat offenders in networks involved in the distribution of child sexual abuse material. Additional operations, including Operation Cumberland, have targeted related criminal rings distributing AI-generated child sexual abuse material.

A new version of Triada Trojan was found preinstalled on thousands of counterfeit Android devices targeting Russian users. Kaspersky discovered at least 2,600 infected devices between March 13 to 27, 2025, using its mobile protection tools. The malware steers clear of detection by operating in the device's RAM and embedding itself within Android's system framework. Triada has been embedded into the smartphone firmware before distribution, indicating a possible supply chain compromise. Infected devices are involved in the theft of at least $270,000 in cryptocurrencies; precise total theft remains unclear due to involvement of hard-to-trace Monero. The malware copies itself to every process on the smartphone, affecting the entire system operation and security. Kaspersky suggests that these devices likely reach consumers through unauthorized retail channels and recommends buying only from authorized distributors.

Despite advanced tools and teams, many organizations face security control failures detected only post-breach. Traditional security testing like compliance audits and penetration tests often miss operational assurance, leaving crucial gaps. Real-world examples illustrate how increased logging or unnoticed network changes can debilitate security systems like SIEM or IDS. Five common reasons for security failures include inadequate threat prevention, detection, response investments, and overwhelmed security systems. Continuous validation and testing, such as Managed Breach & Attack Simulation (BAS) services, are essential for identifying and rectifying these failures. These ongoing tests help in holding vendors accountable, renegotiating contracts, and ensuring vendors meet their service level agreements effectively. Introducing business metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) aligns security performance with business goals. Companies are advised to transition from trusting security investments blindly to continuously testing and validating their effectiveness to manage risk and reduce costs.

Researchers discovered a critical vulnerability in Google Cloud Platform’s Cloud Run service that allowed unauthorized access to container images. The flaw, named ImageRunner, let attackers with specific permissions exploit Google Cloud Run to access and potentially inject malicious code into private container images. Attackers could manipulate Cloud Run service revisions, pulling any private image from associated Google registries without proper permissions. Google addressed this security issue by ensuring that only principals with explicit permissions can access container images during Cloud Run operations. The vulnerability exposed inherent risks in cloud services interconnectivity, highlighting potential privilege escalation and hidden security threats. This flaw's discovery follows recent findings of similar security vulnerabilities in Azure, showcasing widespread challenges in cloud security management. Google’s patch now requires that any principal creating or updating a Cloud Run resource to have explicit container image access permissions, enhancing security measures. Tenable, the cybersecurity firm that reported the incident, emphasized the broader implications due to interconnected cloud service architectures.

Cisco alerted administrators about a critical vulnerability in the Cisco Smart Licensing Utility (CSLU) that introduces a backdoor admin account, making it susceptible to unauthorized remote access. The vulnerability, identified as CVE-2024-20439, allows unauthenticated attackers to gain administrative access via the CSLU app's API by exploiting hardcoded static credentials. Although the flaw was patched by Cisco in September, details of the vulnerability and an exploiting method were published, leading to observable exploit activities in the wild. In a related threat, attackers are combining CVE-2024-20439 with a second vulnerability (CVE-2024-20440) to access log files containing sensitive information through crafted HTTP requests. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the severity of this exploit and mandated federal agencies to address the vulnerability by April 21. Cisco's advisory emphasizes the necessity for clients to update their software to mitigate this backdoor vulnerability and protect against potential breaches. Historical context is given, noting similar issues with hardcoded credentials found in various Cisco products over recent years.