Daily Brief

Coinbase confirmed a data breach involving insider staffers who were bribed, impacting 69,461 users. The breach occurred on December 26, 2024, but was only discovered on May 11 of the following year. Affected users received notification letters and the breach was reported to the Maine Attorney General and disclosed in a Form 8-K filing to the SEC on May 15. Stolen data did not include passwords or direct account access information; the main concern is the potential for social engineering attacks. Coinbase fired the complicit support staff and has yet to disclose the exact location of these employees, although job postings hint at locations in the UK, Ireland, India, the Philippines, and Japan. Remediation costs are estimated between $180 million and $400 million, with ongoing investigations into the full extent of the damage. The company offered identity protection services to affected customers and implemented stronger security measures. A $20 million bounty was established for information leading to the capture and conviction of the culprits involved.

A ransomware group known as 3AM has been deploying targeted attacks that leverage email bombing and spoofed IT support calls to trick employees into giving up remote access credentials. Tactics involve socially engineering employees by impersonating their IT department via spoofed phone numbers, and intense email bombing, which results in obtaining network access. The attack methodology used includes the installation of a malicious archive containing a script and virtual emulators to establish backdoor access and evade detection systems. Besides initial infiltration, the attackers performed network reconnaissance, created administrative accounts, installed remote management software, and eventually exfiltrated significant data volumes. In one recent incident, while the ransomware's attempt to encrypt files en masse was blocked by cybersecurity defenses, attackers managed to export 868 GB of sensitive data to an external cloud storage service within three days. Sophos identified these attacks and suggested enhancing security measures such as auditing account security, utilizing extended detection and response (XDR) tools, enforcing signed script policies, and enhancing employee phishing awareness to mitigate similar threats. The cybercriminals linked to this ransomware operation are believed to be associated with previously known ransomware groups like Conti and Royal.

A coordinated global action seized over 2,300 domains and dismantled key infrastructure of the Lumma malware-as-a-service operation earlier this month. The collaborative effort involved Microsoft, DOJ, Europol, JC3, and various tech firms like Cloudflare, ESET, and BitSight. Microsoft's actions, backed by legal efforts, led to the identification of approximately 394,000 infected Windows computers worldwide. The DOJ and Europol targeted the malware's control panels and marketplaces, critically impacting the operators' ability to distribute and manage stolen data. Cloudflare improved security measures by implementing the Turnstile service to prevent the malware from bypassing interstitial warning pages. The crackdown not only damaged Lumma's operational abilities but also imposed significant financial losses on its operators and users. Lumma, known for its data theft capabilities, targets both Windows and macOS systems and is distributed through various channels like GitHub and malvertising. The disruption is expected to force Lumma's operators and customers to rebuild their services using new infrastructure, increasing their operational costs and complexities.

Delta Airlines is suing cybersecurity firm CrowdStrike for negligence and computer trespass after a faulty update disrupted operations. An update to CrowdStrike’s Falcon system in July caused Blue Screens of Death on approximately 8.5 million Windows PCs globally. The software malfunction forced Delta to cancel around 7,000 flights, exacerbating operational challenges and customer dissatisfaction. Although allegations of intentional misrepresentation and fraud by omission were dismissed, the case will continue with other claims intact. Potential damages for Delta are capped in the single-digit millions, with the worst-case financial scenario due to contractual limitations. CrowdStrike remains "confident" that any damages awarded will be limited, despite significant operational impact on Delta. The incident led to an investigation by the US Department of Transportation and a separate class-action lawsuit from affected passengers. Delta blames the severe disruption on both CrowdStrike and Microsoft, although Microsoft denies responsibility.

A Google Chrome Web Store campaign involved over 100 malicious browser extensions impersonating legitimate tools such as VPNs, AI assistants, and crypto utilities. These extensions have dual functionality: providing some of the promised services while secretly connecting to a threat actor's infrastructure to steal sensitive user data and receive malicious commands. The fake tools were found to modify network traffic for ad delivery, redirections, and proxying, and were promoted through more than 100 fake domains. Security researchers identified dangerous permissions within the extensions that allow the theft of browser cookies, session tokens, and enable dynamic script injection and DOM-based phishing. Certain extensions, including one named "fortivpn", could steal cookies, modify traffic, and route user's traffic through potentially malicious servers. The exploitation via these malicious extensions could lead to account hijacking, personal data theft, browsing activity surveillance, and even corporate network breaches via legitimate company VPN devices or accounts. Despite Google removing many identified malicious extensions, researchers noted that the actor’s persistence and the lag in detection and removal continue to pose significant threats. Users are advised to only download extensions from reputable publishers and to scrutinize user reviews for any potential red flags to avoid falling victim to such scams.

Google has enhanced its sovereign cloud offerings to address growing global concerns about data sovereignty and security. The move includes air-gapped and region-specific solutions. Google Cloud Air-Gapped provides a fully standalone ecosystem for users with stringent security needs, such as those in intelligence and defense, ensuring operational continuity without reliance on external networks. Google Cloud Dedicated, developed in collaboration with Thales, aims to meet local sovereignty standards and is prepped to serve AI workloads with specialized hardware. Google Cloud Data Boundary lets customers control data storage and processing locations, enhanced with a new User Data Shield to secure applications further. The expanded cloud services are a response to increased customer unease over U.S. dominance in digital infrastructure and potential foreign governmental access to sensitive data. Google's approach offers a suite of tailored solutions to fit various regulatory requirements and business needs, contrasting with one-size-fits-all models. Major competitors like Amazon and Microsoft have also recently intensified efforts to cater to European demands for data sovereignty amid escalating geopolitical tensions. Google's president of customer experience, Hayete Gallot, emphasizes the importance of providing flexible and secure options for clients as global instability increases demand for cloud sovereignty options.

Patching vulnerabilities remains a crucial yet challenging cybersecurity task due to operational constraints and the rapid exploitation of vulnerabilities by adversaries. Traditional patch management strategies often fall short, as hasty deployments can introduce additional risks, despite patches being available for extensive periods. ThreatLocker's approach integrates Ringfencing to secure fully patched apps from being exploited, aiming to prevent attacks and unauthorized lateral movements. Designed for Zero Trust environments, ThreatLocker treats every patch as untrusted until verified through rigorous internal reviews and testing by application engineers. During a recent zero-click vulnerability in Microsoft Outlook, ThreatLocker users were able to mitigate risks much faster than those with traditional patch management systems. ThreatLocker provides tools for automation and control, enabling precision in patch management, essential for modern cybersecurity strategies. The narrative emphasizes that effective patch management transcends compliance, integrating into strategic security operations for serious security-focused organizations.

President Trump has announced the "Golden Dome" defense initiative, a plan to cover the US with a network of missile interceptors, satellites, and radar systems. The initiative includes a $25 billion initial funding segment, part of a projected overall spend possibly reaching beyond $175 billion. The system is designed to counteract various types of missiles including ballistic, hypersonic, and cruise missiles through a combination of space-based and terrestrial technologies. Trump referenced the historical context of missile defense dating back to Reagan’s era, indicating this as a continuation and completion of Reagan's vision to neutralize missile threats. The implementation involves major domestic production with Trump highlighting Silicon Valley's role and potential collaborations with Canada under conditions of financial contribution. A Congressional Budget Office report estimates the potential cost for a functional space-based intercept system between $161 billion to $831 billion over 20 years. Skepticism remains about the effectiveness of the Golden Dome, particularly against large-scale missile attacks or those using advanced decoy tactics. The project is seen by some as a lucrative opportunity for defense contractors and commercial entities like those owned by Elon Musk.

The European Union has sanctioned Stark Industries, a web-hosting provider, for supporting Russian cyber efforts and destabilising activities. CEO Iurie Neculiti and owner Ivan Neculiti of Stark Industries are specifically targeted due to their roles in enabling these cyber activities. Stark Industries is noted for being a historically bulletproof hosting provider, facilitating cyberattacks, including DDoS and disinformation campaigns advantageous to Russia. Investigations reveal Stark Industries had provided infrastructure for notorious cyber groups like FIN7, facilitating severe security threats. Despite Stark Industries' recent collaboration with cybersecurity firms to dismantle malicious infrastructure, EU sanctions proceed based on their prolonged enabling of harmful cyber activities. Additional sanctions by the EU target various other entities and individuals involved in propagating Russian foreign policy and misinformation. Sanctions include asset freezes and travel bans into the EU for the designated individuals and entities. Alongside Stark Industries, media outlets, news agencies, and companies tied to Russian espionage and electronic warfare activities faced EU sanctions.

A significant increase in PureRAT malware attacks targeting Russian businesses has been identified, with incidents quadrupling early in 2025 compared to the same timeframe in 2024. These malware attacks begin with a deceptive phishing email that includes a malicious RAR file attachment, disguised as a reputable document. Upon execution, the malware installs a RAT (Remote Access Trojan) that can control the infected system, capture keystrokes, and access files, cameras, and microphones. The executable involved in the attack sequence not only deploys the RAT but also downloads auxiliary components capable of conducting espionage and data theft. PureLogs, another component of the malware, specifically targets and extracts sensitive data from web browsers, email clients, and cryptocurrency wallets. Kaspersky has not attributed these attacks to any specific threat actor, emphasizing the ongoing threat to Russian firms through malicious email campaigns. The comprehensive capabilities of PureRAT and PureLogs highlight a sophisticated and well-resourced malware operation aimed at acquiring confidential data and maintaining persistent access to compromised systems.

Counterfeit Facebook ads are directing users to fake Kling AI websites, ultimately downloading remote access Trojan (RAT) malware. Kling AI, a popular AI-driven image and video synthesis platform by Kuaishou Technology, has been impersonated to deceive users. Detected first in early 2025, these fake platforms like klingaimedia[.]com lure users to download harmful executable files disguised with double extensions. The malicious software establishes persistence on infected systems, monitors for analysis tools, and evades detection via legitimate system processes. The malware, specifically PureHVNC RAT, steals data from cryptocurrency wallets through browser-stored credentials and captures sensitive information via screenshots. At least 70 promoted posts from fraudulent social media accounts were identified, with links pointing back to Vietnamese threat actors. These attacks are part of a larger trend exploiting the surging interest in generative AI tools to distribute information-stealing malware via social media platforms. Meta faces broader challenges with an "epidemic of scams" on its platforms, including Facebook and Instagram.

Kettering Health, a major healthcare network in Ohio, experienced a significant cyberattack resulting in a system-wide technology outage. The attack led to the cancellation of elective inpatient and outpatient procedures, and an ongoing disruption to its call center operations. Kettering Health employs over 15,000 staff and operates 14 medical centers and over 120 outpatient facilities, all of which have been affected. CNN reports attribute the ransomware attack to the Interlock ransomware gang, who have threatened to leak stolen data unless a ransom is paid. The organization advised patients against making credit card payments over the phone due to potential scam activities linked to the incident. While emergency services continue, elective procedures have been postponed with plans to reschedule. There is still no confirmation from Kettering Health if patient data was compromised during the attack.

CI/CD practices accelerate software development but introduce security vulnerabilities such as supply chain attacks and insider threats. Continuous security monitoring and best practices enforcement are essential at all stages of CI/CD workflows to mitigate risks. Wazuh, an open-source security platform, enhances CI/CD security through unified XDR and SIEM capabilities. Wazuh enables detailed monitoring of CI/CD environments, including servers, orchestration tools, and version control systems, to detect unauthorized activities and breaches. Features such as File Integrity Monitoring (FIM) help in real-time detection of unauthorized changes, with alerts generated for suspicious file activities. Wazuh supports custom rules creation and has streamlined security monitoring tailored to specific CI/CD needs, adhering to benchmarks like CIS Docker Benchmark. Integration capabilities with third-party tools, such as container vulnerability scanners, ensure comprehensive security checks throughout the CI/CD pipeline. Automated incident response by Wazuh minimizes manual intervention and swiftly addresses threats, maintaining the efficiency and reliability of CI/CD workflows.

Phishing remains a top threat in corporate security, exploiting employee trust to gain unauthorized access. Interactive sandboxing is proposed as an effective solution for analyzing suspicious emails and links without compromising system security. ANY.RUN sandbox allows safe detonation of phishing emails, displaying behaviors such as redirects and CAPTCHA challenges typically missed by automated tools. Once a phishing attempt is confirmed, the sandbox helps trace the full attack chain and gather indicators of compromise (IOCs) efficiently. Features of ANY.RUN include a fast analysis interface, capability of auto-handling elements like CAPTCHA, and comprehensive logging of network traffic and behavior. Utilizing sandboxes like ANY.RUN simplifies the process of identifying phishing infrastructure, providing crucial evidence for quick response and future prevention. The method ensures that SOC teams can conduct thorough analyses and obtain detailed reports in less than 40 seconds, enhancing both detection and response times.

Marks & Spencer (M&S) anticipates a potential £300 million ($402 million) profit loss due to a recent cyberattack. The attack led to significant disruption in online sales and operations, with system downtimes impacting the retailer heavily. Recovery includes additional costs in waste, logistics, and stock management as M&S manually operates. Online retail systems remain disabled; disruptions expected to continue affecting operations until at least July. Attack performed using DragonForce ransomware by the cyber group Scattered Spider, also responsible for attacks on other UK retail chains. M&S confirmed theft of customer data during the attack, adding to potential long-term reputational damage. UK National Cyber Security Centre has issued warnings and guidance in light of these attacks targeting UK retailers. Scattered Spider has expanded its operations, now also targeting U.S. retailers, signaling a broader threat landscape.