Daily Brief

Most users prefer seamless user experiences over stringent security protocols, often compromising password security. High user friction can lead to non-compliance with security measures, increasing cyber risk through behaviors like password reuse or sharing. Effective user experience (UX) designs in security protocols can enhance compliance and minimize disruptions, improving overall cybersecurity. Implementing user-friendly password policies, such as promoting passphrases over complex passwords, can improve security and usability. Providing dynamic feedback during password creation and handling forced resets gracefully can help reduce user frustration. Security teams should consider password aging strategies that adjust required changes based on password strength, optimizing both security and UX. The adoption of nuanced password policies can help organizations maintain robust security while improving user satisfaction and compliance.

Microsoft introduced a new requirement for bug reporters to include videos along with their submissions, leading to unintended consequences. A developer showcased frustration through a 15-minute video that didn't add value beyond the initial bug report, highlighting inefficiency in the new system. The change was presumably meant to reduce low-quality submissions but has instead been perceived as a barrier, taxing developers' time and resources. This scenario reflects larger issues with tariffs and how they can inadvertently demotivate valuable feedback and contribute to inefficiency. The article compares this incident to wider economic implications of tariffs, like Brexit, emphasizing how poor planning and execution can lead to substantial negative outcomes. The piece suggests that better training in bug reporting could be a more productive solution rather than imposing additional burdens on reporters.

A critical security vulnerability, CVE-2025-29927, has been identified in Next.js, affecting middleware authorization checks. The vulnerability has a high severity with a CVSS score of 9.1, indicating significant risk potential. Attackers could exploit this flaw to skip middleware and access restricted areas of the web application, such as admin pages. Next.js versions impacted include 12.3.5, 13.5.9, 14.2.25, and 15.2.3; patches are available to address this issue. If unable to patch promptly, users should block requests containing the "x-middleware-subrequest" header, which is exploited in attacks. Researcher Rachid Allam (aka zhero or cold-try) discovered and reported the flaw, and has since published technical details, heightening the urgency for patches. Websites relying solely on middleware for user authorization and not employing secondary checks are particularly vulnerable.

Europol's recent report indicates a profound shift in organized crime, heavily integrating digital technology including AI. Organized crime now routinely involves digital components, making illegal activities such as human smuggling and drug trafficking more sophisticated and difficult to detect. Criminal networks are leveraging digital platforms, illicit financial flows, and geopolitical instability to expand their influence across the globe. The report emphasizes that the evolution of organized crime undermines EU institutions and societal cohesion, posing a significant threat. Europol warns that criminal networks might be serving as proxies for hybrid threat actors, possibly including state-aligned groups, to mutually enhance their capabilities. The inclusion of state-of-the-art technology and AI tools in criminal operations allows these networks to operate more efficiently and evade law enforcement efforts. The adoption of AI by these networks underscores a need for law enforcement agencies to advance their technological capabilities to effectively counter these threats.

China's Cyberspace Administration and Ministry of Public Security have introduced new regulations prohibiting the compulsory use of facial recognition technology and its usage in private areas such as hotel rooms and public facilities. Organizations wishing to use facial recognition must perform a personal information protection impact assessment, secure explicit consent, and implement data encryption for biometric data. The rules exempt research and algorithm training activities, potentially allowing the continued use of facial images for AI model training without broader consent. India has crowned Zoho's Ulaa as the top national web browser through a government-backed competition, enhancing local digital autonomy and security. Taiwanese critical infrastructure faced cyberattacks from a group identified as UAT-5918, featuring tactics similar to those of possibly state-backed Chinese hacking groups. X (formerly Twitter) has initiated legal action against the Indian government, challenging content takedown laws that they argue suppress freedom of speech. Japan debates a contentious cybersecurity law aiming for active defense measures, including potential offensive cyber operations while ensuring the protection of personal privacy. The Australian Strategic Policy Institute reports harassment following critical research publications on China, with allegations of targeted online abuse against its staff.

Oracle refutes allegations that its cloud services were breached and customer data stolen, despite online sale of purported security keys and sensitive data. An unknown entity advertised on a cyber-crime forum claiming they had obtained data from Oracle Cloud’s single-sign-on servers by exploiting a vulnerability. Oracle insists there was no breach, stating that no customer data was lost and the credentials for sale do not pertain to their cloud services. Evidence was provided by the seller indicating a compromised Oracle server, including a text file created as proof of the breach. Security experts suggest the server may have been vulnerable due to an unpatched critical flaw in Oracle Fusion Middleware's Access Manager. The purported stolen data includes Java KeyStore files, encrypted passwords, and other sensitive information, potentially impacting thousands of customers. The seller, identified as rose87168, reportedly demanded over $200 million in cryptocurrency from Oracle to reveal details of the breach, which Oracle refused. Rose87168 also shared a list of domains of the affected companies, offering to withhold their data from sale for a ransom.

Cybercriminals exploit Microsoft Trusted Signing service by signing malware with three-day certificates. Signed malware potentially bypasses security systems, appearing as legitimate, due to the signing reputation. The misuse involves a Microsoft-run certification authority and affects new Microsoft ID Verified codes. Recent campaigns like Crazy Evil Traffers and Lumma Stealer have seen utilization of this compromised method. The service, designed to streamline application security practices for developers, has inadvertently provided a new tool for cyber criminals. Microsoft has implemented measures such as revocation of misused certificates and account suspension to combat this abuse. Despite checks, the ease of obtaining and the transient validity of certificates make them attractive for illegal uses. Microsoft continues to monitor for certificate misuse through threat intelligence to prevent future abuse.

The FBI has issued warnings about fraudulent online file converters being used to deploy malware and steal sensitive information. Cybercriminals create websites that appear legitimate, offering services to convert or merge files, which can actually load malware onto users' devices. These malicious tools can scrape uploaded documents for personal data like social security numbers, banking details, and passwords. Reports of these scams have been made to IC3.gov, including one from a public sector entity in metro Denver. Scammers also use deceptive practices in search engine algorithms to promote their fraudulent tools, tricking users looking for legitimate file conversion services. Malicious software associated with these scams can include ransomware, banking trojans, info stealers, and other post-exploitation tools capable of extensive network breaches. The FBI advises the public to research file conversion tools thoroughly and to check user reviews before downloading to avoid falling victim to these scams.

Former NSA head Mike Rogers highlighted Russia's decreased visibility in U.S. election meddling, attributing it to increased U.S. election security measures. Rogers shared insights on the uncertain future of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) amid suggestions to refocus its mandate away from misinformation. Persistent engagement with adversaries has been a cornerstone strategy for U.S. Cyber Command, enhancing situational awareness and intelligence. The U.S. government plays a critical role in national cybersecurity, leveraging its unique capabilities, intelligence, and regulatory powers. In his post-NSA career, Rogers is focusing on integrating cybersecurity within fintech and healthcare sectors through his role at Team8. Rogers also commented on the current and potential future impacts of AI on cybersecurity, noting its stronger application in offensive rather than defensive strategies.

A targeted cyber attack on GitHub Action "tj-actions/changed-files" began with one of Coinbase's open-source projects and expanded widely, impacting 218 repositories. The attack leveraged the public CI/CD pipeline to possibly orchestrate further breaches, though the damage was contained as crucial secrets remained secure. The breach, which was identified on March 14, 2025, resulted in the leakage of DockerHub, npm, AWS credentials, and GitHub tokens. Another GitHub Action, "reviewdog/action-setup," was compromised earlier and contributed to spreading the malicious code by affecting its dependencies. Attackers employed advanced techniques to hide their activities, including using disposable email addresses and concealing their GitHub actions. So far, no evidence suggests that GitHub's own systems were compromised; the platform remains focused on overseeing and mitigating malicious activities. GitHub advises users to thoroughly review third-party GitHub Actions before incorporating them into their projects to prevent similar incidents. It's suspected that the attack's primary aim was financial gain, likely targeting cryptocurrency theft from Coinbase, a major crypto exchange platform.

Cloudflare announced it will only accept HTTPS connections for api.cloudflare.com, completely blocking all HTTP connections. The company's decision is aimed at preventing the exposure of sensitive information in cleartext during HTTP-to-HTTPS redirections. Developers using HTTP for Cloudflare API access will need to update their systems to accommodate this security enhancement. This change is critical in environments like public or shared Wi-Fi, where unencrypted connections are more susceptible to attacks. Systems, tools, and IoT devices relying on HTTP will face disruptions and require updates for continued functionality. Cloudflare's forthcoming feature will allow customers to disable HTTP traffic securely later in the year. Despite HTTPS being more secure, Cloudflare's data shows a notable percentage of internet traffic still uses HTTP, especially automated traffic. The report ends with a general security notice, revealing top security risks and defensive strategies unrelated to Cloudflare's update.

Cybercriminals are exploiting Microsoft's Trusted Signing service to code-sign malware with short-lived certificates. Malware executables signed by "Microsoft ID Verified CS EOC CA 01," with certificates valid for only three days, but remain recognized as valid beyond expiration. Signed malware can bypass security filters more easily and look legitimate, leveraging the reputation boost provided by the Extended Validation (EV) certificates. Microsoft's platform was designed to increase security by issuing short-lived certificates and withholding direct certificate issuance to developers to reduce risks of theft. High-profile malware campaigns are already utilizing these certificates, evidenced by identified samples in the Crazy Evil Traffers and Lumma Stealer campaigns. BleepingComputer reported that attackers prefer Microsoft's service due to easier access and unclear changes to the standard of EV certificates. Microsoft employs threat intelligence monitoring to detect misuse and responds by revoking abused certificates and suspending associated accounts.

The U.S. Treasury Department has lifted sanctions on Tornado Cash, a cryptocurrency mixer previously linked to North Korea's Lazarus Group. This decision followed a U.S. Fifth Circuit court ruling which found that OFAC exceeded its authority by sanctioning the service, as its smart contracts aren't considered "property" under relevant laws. More than 100 Ethereum wallet addresses associated with Tornado Cash have been removed from the Specially Designated Nationals (SDN) list. Originally sanctioned in August 2022, Tornado Cash was accused of laundering over $7.6 billion in cryptocurrency since 2019. The court stated that immutable smart contracts do not have a controlling party, complicating the application of economic sanctions. The Treasury remains focused on combating malicious uses of digital assets and preventing North Korea from financing its weapons programs. The Treasury emphasizes the potential of digital assets for innovation and the importance of securing the industry from misuse.

Researchers from Palo Alto Unit 42 and Wiz identified a GitHub Actions supply chain attack primarily targeting Coinbase. The attackers injected malicious code into the reviewdog/action-setup@v1 GitHub Action to compromise CI/CD secrets and authentication tokens. The breach allowed threat actors to steal a Personal Access Token and push a harmful commit to another GitHub Action, tj-actions/changed-files. This attack dumped more CI/CD secrets into workflow logs and targeted over 20,000 projects, although only 218 repositories were ultimately affected. Coinbase's agentkit project, which enables AI interaction with blockchains, was specifically targeted, though the attack was ultimately unsuccessful against Coinbase assets. The compromised GitHub action was used initially to target Coinbase and expanded to other projects when initial attempts failed. Coinbase confirmed the attack did not cause any damage or loss to their assets after being alerted by the Palo Alto Unit 42 team.

Oracle refutes allegations of a breach following claims by a hacker, rose87168, that they stole 6 million records from Oracle Cloud’s federated SSO login servers. Rose87168 provided evidence including text files and LDAP information purportedly from Oracle Cloud, even showing a .txt file upload to an Oracle server. The data for sale included encrypted SSO passwords and other sensitive files, with rose87168 claiming the ability to decrypt these passwords. The hacker demanded that companies pay to exclude their employees' information from the sell list, posing a targeted threat to affected enterprises. Oracle insists that no Oracle Cloud customers experienced a breach or data loss according to their investigation. The situation remains unresolved as rose87168 continues to offer the data in exchange for money or zero-day exploits, underlining the ongoing risk to the affected entities. BleepingComputer has reached out to potentially affected companies to validate the claims of stolen data; updates are pending based on these confirmations.