Daily Brief

Google announces the ability for enterprise Gmail users to send end-to-end encrypted (E2EE) emails to any email platform using a new encryption model. This new feature supports encryption without the need for custom software or exchanging encryption certificates, simplifying the encryption process. The E2EE feature is currently in beta for intra-organizational emails within Gmail, with plans to expand to all Gmail users and subsequently to other email services. The encryption is powered by client-side encryption (CSE), ensuring that data is encrypted before leaving the client and stored securely in Google’s cloud, inaccessible to third parties including Google. For recipients using non-Gmail services, such as Microsoft Outlook, Google provides a method to view encrypted emails through a guest Google Workspace account. The encryption keys used in this process are managed in a cloud-based key management service, allowing administrators to control access to encryption keys. The introduction of this technology aims to improve data privacy and security while reducing the complexity and resources traditionally required for secure email communication.

Google has launched a new end-to-end encryption (E2EE) service for Gmail business users, facilitating encrypted email communication across any platform. The new E2EE model allows enterprise users to send encrypted emails easily without complex certificate management typically required by S/MIME protocols. Initially, the service will enable sending E2EE emails within the same organization, with plans to expand to all Gmail users and eventually to any email service. Users can activate encryption by selecting the "Additional encryption" option, with Gmail handling the decryption automatically for Gmail recipients. Non-Gmail recipients will access emails through a secure link, viewing them in a restricted Gmail version or using a guest Google Workspace account. The E2EE feature leverages client-side encryption (CSE) to ensure data is encrypted before it reaches Google’s servers, enhancing privacy and compliance with data sovereignty laws and regulations like HIPAA. Google has previously implemented client-side encryption across various Google Workspace tools, including Google Drive and Google Meet, as part of its broader security strategy.

A significant increase in scanning attacks targeting Palo Alto Networks GlobalProtect login portals has been observed. Over 24,000 unique IP addresses were recorded participating in the activity, with a peak of 20,000 IPs per day starting from March 17, 2025. The majority of these source IPs originate from the United States and Canada, primarily focusing on systems based in the USA. Of the detected IPs, 23,800 are classified as “suspicious,” and 154 have been confirmed as "malicious." The scanning pattern suggests a potential prelude to exploiting vulnerabilities, historically found to surface two to four weeks after such reconnaissance activities. GreyNoise has noted a similar pattern over the last 18 to 24 months, involving targeted attacks and reconnaissance on known vulnerabilities. The scanning activity may be related to another identified pattern involving a PAN-OS crawler that spiked concurrently on March 26, 2025. Administrators are advised to review logs since mid-March for signs of compromise and to implement defensive measures against potential exploitation attempts.

Lucid, a phishing-as-a-service platform, targeted 169 entities across 88 countries utilizing Apple iMessage and RCS for Android to bypass SMS filters. The service, developed by the Chinese-speaking XinXin group, mainly focuses on stealing credit card data and personally identifiable information in Europe, the UK, and the US. Lucid, alongside other platforms like Lighthouse and Darcula, partakes in a broader underground economy, offering phishing services on a subscription basis. These phishing campaigns mimic legitimate entities like postal services and courier companies, using convincing templates to extract sensitive information. Lucid's operations use iPhone device farms and Windows-based mobile device emulators to send large volumes of scam messages. Advanced evasion techniques include IP blocking, user-agent filtering, and creating single-use URLs to avoid detection. The service also offers tools for creating customizable phishing sites and a real-time monitoring panel for tracking victim interactions. The findings highlight the growing sophistication of phishing attacks, which are becoming increasingly difficult for traditional security measures to detect.

Apple has issued security updates backporting fixes for previously exploited zero-day vulnerabilities to older versions of iOS, iPadOS, and macOS. The updates address critical vulnerabilities, including flaws allowing USB mode bypass, sandbox escape, and WebKit engine exploitation in sophisticated attacks. Affected older systems, such as iOS 16.7.11 and iPadOS 15.8.4, now include patches previously available only in the latest operating versions. New security updates for current iOS, iPadOS, and macOS versions fix several severe vulnerabilities, with no actively exploited zero-days reported in this round. Specific critical vulnerabilities patched include ones that could lead to app sandbox bypass, arbitrary code execution at the kernel level, and privilege escalation to root. Apple underscores the importance of applying these updates immediately to protect against potential exploit and maintain system integrity. Apple's consistent security support across both new and older device versions highlights the ongoing risks and challenges presented by sophisticated cyber threats.

Google announced it will provide end-to-end encrypted (E2EE) email options for all Gmail users, expanding beyond Google Workspace users. The E2EE feature ensures secure email communication and simplifies the email encryption process compared to the traditional S/MIME protocol. Users can send encrypted emails to any recipient, regardless of the email platform; Outlook users, for instance, will access encrypted emails via a secure, temporary Gmail interface. Google asserts the new encryption method removes complex IT requirements, enhances user experience, and maintains privacy and data sovereignty. A phased rollout begins with the ability to send E2EE emails to other Gmail users within the same organization, expanding to all Gmail and external users later. Google also introduced other security features, including sensitivity labels and enhanced AI-driven spam and phishing detection. This update parallels existing encrypted email solutions like Microsoft Purview Message Encryption and platforms such as ProtonMail.

Attackers are exploiting a critical authentication bypass vulnerability in CrushFTP software, affecting versions 10 and 11. The vulnerability (CVE-2025-2825) was initially reported by Outpost24 and allows remote unauthenticated access. CrushFTP released patches on March 21 to address this security issue and advised immediate updating. Shadowserver reported detecting exploitation attempts and found over 1,500 vulnerable CrushFTP instances still accessible online as of March 30, 2025. CrushFTP previously experienced similar security issues, including a zero-day flaw in 2024 (CVE-2024-4040) exploited for intelligence-gathering. A critical remote code execution flaw (CVE-2023-43177) was also patched in November 2023 in CrushFTP's enterprise suite. The ongoing vulnerability exposures highlight the targeting of file transfer software by ransomware gangs for data theft attacks.

The UK's technology secretary unveiled the new Cyber Security and Resilience (CSR) Bill, promising up to £100,000 in daily fines for organizations that fail to combat specified cyber threats. The CSR bill, expected to be debated in Parliament later this year, aims to enhance the existing Network and Information Systems (NIS) regulations and protect the nation's critical services from cyber threats. The proposed legislation includes three main pillars: expanding the scope of regulated entities, granting regulators increased enforcement powers, and allowing the government to swiftly amend regulations in response to emerging cyber threats. Potential amendments being considered could expand regulatory scope to include datacenters, establish a unified strategy for all regulators, and enable government to issue ad-hoc directives to organizations for immediate security enhancements. The CSR bill will also mandate incident reporting within 24 hours and ensure more comprehensive coverage across less severe incidents, in contrast to international standards which often allow longer reporting windows. Authorities express deep concern about the escalating cyber threats to the UK's critical national infrastructure (CNI), citing significant increases in attacks on utilities and other essential services. The National Cyber Security Centre (NCSC) supports the bill, emphasizing its potential to significantly strengthen cyber defenses in crucial sectors such as healthcare, water, and electricity. Legal and cybersecurity experts highlight the ongoing challenges and resource needs for organizations to attain and maintain cyber resilience, stressing the importance of continued investment and employee awareness in cybersecurity practices.

Apple has released updates to address three actively exploited vulnerabilities in older iOS and macOS versions. The vulnerabilities are currently under live exploitation, prompting the release of backported fixes. The security patches cover several legacy devices, ensuring they are protected against the identified threats. The move coincides with Apple’s latest software rollouts, which include iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4, and Safari 18.4. These updates rectify a variety of security issues, with iOS 18.4 and macOS Sequoia 15.4 fixing 62 and 131 flaws, respectively. Users are advised to update their devices promptly to the latest available versions to mitigate risks associated with the vulnerabilities.

Cybersecurity experts have identified a significant increase in suspicious login scans targeting PAN-OS GlobalProtect gateways. The campaign involved nearly 24,000 unique IP addresses, indicating a coordinated effort to probe network defenses. The peak activity occurred from March 17 to March 26, 2025, with daily attempts involving close to 20,000 IPs. Researchers identified 154 IP addresses as particularly malicious, originating mainly from the US, Canada, Finland, the Netherlands, and Russia. The primary targets of these scans were systems located in the US, UK, Ireland, Russia, and Singapore. The activity is seen as a potential precursor to more targeted future attacks, possibly exploiting new or existing vulnerabilities. Experts recommend that organizations with internet-facing Palo Alto Networks instances enhance their security measures to guard against such reconnaissance attempts.

Earth Alux, a new China-linked cyber espionage group, is actively targeting various sectors including government, technology, and telecommunications in the Asia-Pacific and Latin America. The threat actor uses sophisticated multi-stage cyber intrusion techniques, initially deploying the Godzilla web shell on compromised web applications to facilitate further malware deployment. Key malware used includes VARGEIT and COBEACON, with the latter also known as Cobalt Strike Beacon; these tools support complex operations like data collection and lateral movement. VARGEIT features advanced capabilities like loading additional tools directly from a command-and-control server into a disguised process, alongside supporting ten different C&C communication channels. Techniques such as DLL side-loading and timestamp modification are utilized to maintain persistence and evade detection by security applications. Earth Alux also employs MASQLOADER, which has evolved to include anti-API hooking techniques to bypass security measures and remain undetected. Ongoing tool refinement and testing indicate a sophisticated and adaptive adversary focused on long-term espionage and data exploitation activities.

A major retailer inadvertently shared CSRF tokens with Facebook due to a misconfigured Facebook Pixel. CSRF tokens are essential security elements that identify and authenticate user interactions on websites to prevent unauthorized actions. Reflectiz, a web threat monitoring solution, identified the data leak and recommended storing CSRF tokens in HttpOnly cookies to prevent third-party access. The misconfigured Facebook Pixel was found to be accessing and transmitting CSRF tokens and other sensitive data. Immediate corrective actions included changes to the Facebook Pixel's code to prevent further unauthorized data access. Data protection regulators could impose hefty fines on businesses that accidentally overshare restricted information. Reflectiz's ongoing monitoring and recommendations aim to enhance the retailer’s defenses against similar security risks in the future. Businesses are advised to adopt robust security measures to safeguard sensitive data and remain compliant with regulations.

Hasaan Arshad, a 25-year-old student intern at GCHQ, admitted to illegally downloading top secret data, including a highly valued spy tool. Arshad took the data home on a hard drive after downloading it using his phone inside a highly secure area of GCHQ on August 24, 2022. He pleaded guilty to breaking Section 3ZA of the Computer Misuse Act 1990, facing serious consequences for unauthorized acts causing or risking severe damage. Prosecutors claim the stolen software, developed with substantial taxpayer funding, is worth millions and represents a significant security breach. Investigations revealed Arshad had also created illegal images and had discussions about "bug bounties" suggesting potential financial motives, though he denied these claims in a statement. Arshad apologized for his actions, attributing them to curiosity and a lack of judgment, and emphasized steps taken to secure the data after removal. He is out on bail with restrictions, including a ban from using the dark web, with sentencing scheduled for June 13.

Apple has been fined €150 million by France's competition authority for abuses related to its App Tracking Transparency (ATT) practices. The fine addresses Apple's dominant position in distributing iOS and iPadOS mobile applications between April 2021 and July 2023. ATT framework requires explicit user consent for app-based tracking across websites and apps for advertising purposes. The French regulator criticized the implementation as unnecessarily complex and non-compliant with the French Data Protection Act. There's a noted implementation asymmetry: users must confirm tracking consent twice, whereas refusal requires only one step. Unlike third-party developers, Apple avoided double consent for its own apps’ tracking until the introduction of iOS 15. The CNIL's decision highlights the framework's lack of neutrality and imposes no specific changes; Apple is expected to comply independently. Apple states that its ATT framework has received support from consumers and privacy advocates globally, viewing the fine as minor compared to its quarterly earnings.

CISA issues an alert regarding Resurge, a new malware variant that targets and exploits security vulnerabilities in Ivanti hardware products, specifically Connect Secure, Policy Secure, and ZTA Gateway. Resurge exploits a critical stack-overflow issue, CVE-2025-0282, allowing unauthenticated remote code execution, previously leveraged by the Spawn family of malware in zero-day attacks. Once infected, Resurge can bypass system integrity checks, modify system files, harvest user credentials, create user accounts, reset passwords, and elevate user permissions. The malware creates web shells on the compromised devices, enabling attackers to control them remotely and continuously manipulate device operations. To eradicate the malware and its traces from the network, a complete firmware reset and reinstallation on the affected devices are recommended followed by a password reset for both privileged and standard user accounts. Ivanti has urged customers who have not updated their systems since the vulnerability was patched to do so immediately, using the latest firmware version for optimal security. This recent security threat marks another year of Ivanti grappling with zero-day vulnerabilities, emphasizing the ongoing challenges in securing networked hardware environments.