Daily Brief

Coinbase, a major cryptocurrency exchange, disclosed a data breach affecting 69,461 customers. Personal information exposed includes names, dates of birth, social security numbers, email addresses, and partial bank account details. Sensitive data about government IDs, account transactions, and balances were also stolen, increasing the risk of social engineering attacks. The breach was facilitated by support staff or contractors outside the U.S., compromising less than 1% of Coinbase's customer base. Coinbase received a $20 million extortion demand from the attackers, which they refused to pay, opting instead for a reward fund to capture the culprits. Estimated financial impact due to the breach ranges from $180 million to $400 million for remediation and customer reimbursements. The exchange has committed to reimbursing affected customers and is urging all users to enhance security measures like withdrawal allow-listing and two-factor authentication. Coinbase also highlighted a broader cybersecurity framework analysis identifying top threats and defensive strategies to mitigate such risks.

Marks & Spencer anticipates a £300 million reduction in operating profits for the fiscal year 2025/26 due to a sophisticated, ongoing cyberattack. The impact includes significant disruptions, increased costs from manual logistics, and loss in sales, particularly from online platforms. M&S plans to utilize its cyber insurance, expecting to claim up to £100 million to offset some of the financial damage. CEO Stuart Machin emphasized the company's focus on recovery and technical transformation to strengthen business post-attack. Despite disruptions, M&S reported a 22.2% increase in pre-tax profits from the previous year and a sales growth of 6.1%. The attack led to the theft of customer data, although sensitive payment card information was not compromised. Share prices have fallen approximately 12% since the attack began, reflecting investor concerns over the company’s immediate financial health.

Cybersecurity experts have uncovered a malicious campaign targeting mobile users with JavaScript injections. The attack redirects users to a Chinese Progressive Web App (PWA) featuring adult-content scams. The scheme activates specifically on mobile platforms such as Android and iOS, ignoring desktop environments. Attackers employ Progressive Web Apps to mimic native applications and potentially evade standard browser security measures. The malicious code is injected into websites and triggers redirection only when accessed via mobile devices. Victims are led through several intermediary pages before arriving at fraudulent app store listings. This strategy indicates a shift towards more sophisticated, persistent methods of phishing on mobile devices.

Dr. Bleddyn Bowen highlighted the UK's significant reliance on the US for space technology and military capabilities during a House of Lords committee hearing. The UK abstained from developing independent satellite-launching and nuclear capabilities during the Cold War, relying instead on US provisions after extensive negotiations. Recent rhetoric and policies from the Trump administration have raised concerns about the future of UK-US relations, especially in areas of military and space cooperation. The importance of maintaining strong UK-US relations was emphasized given the deep integration in intelligence, space, and military sectors. The UK government committed to a defense spending increase to 2.5% of GDP by 2027, which was positively received by President Trump. Despite current political tensions, day-to-day military cooperation between the UK and US remains robust, with ongoing integration between UK Space Command and US Space Force. Shifts in the UK's defense procurement from the US towards European suppliers have been observed, indicating a potential diversification of defense alliances.

Scattered Spider initially focused on cryptocurrency theft and business process outsourcing before moving to the financial sector and now retail. Palo Alto Networks' Unit 42 observed the shift of this cybercrime group towards customer-facing retail sectors in the UK and US. The group's operatives, who tend to move across industries, leverage their insider industry knowledge to conduct crime efficiently. Social engineering tactics employed by Scattered Spider include using their native-English fluency to manipulate employees into bypassing internal security protocols. Despite recent retail and cryptocurrency exchanges' attacks, no direct evidence links these incidents specifically to Scattered Spider; however, their past involvement in similar cases leads experts to not rule out connections. Both major cryptocurrency exchanges, Binance and Kraken, have recently countered social engineering attacks, with discussions around potential losses if systems were breached. Coincidentally, Coinbase is working with the DOJ and international law enforcement to address the security incidents, indicating a serious concern over these breaches.

Google Chrome's built-in Password Manager can now automatically change a user's compromised password. This feature activates when Chrome detects compromised credentials during a sign-in process. For supported websites, Chrome will generate a strong, new password and update the user's account automatically. This development is part of Google's broader effort to reduce user friction and enhance account security. Website owners can facilitate this feature by adopting a well-known URL that directs to a password change page. This initiative aligns with industry moves toward using passkeys as a more secure method of account protection, with companies like Microsoft leading these changes.

Two Ivanti vulnerabilities, CVE-2025-4427 and CVE-2025-4428, are being actively exploited, affecting both on-premise and cloud environments. The vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) allow remote code execution and authenticated bypass, leading to unauthorized malware deployment. Ivanti has issued patches for these vulnerabilities, which stem from problems in open-source libraries used within the product. Security firm Wiz reported ongoing exploitation in the cloud, observing attacks since May 16 and utilization of a remote-control tool called Sliver by attackers. The exploited bugs were added to the U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog. Threat actors used the bugs to inject code and deploy Sliver, aimed at achieving long-term access for various malicious purposes. The same command-and-control server IP used in these attacks was also used in previous exploits against Palo Alto Networks' appliances, suggesting possible linked threat actors.

Matthew D. Lane, a 19-year-old college student, pleaded guilty to federal charges related to cyber extortion and unauthorized computer access. Lane and associates initially accessed confidential data by hacking a U.S. telecommunication company used by PowerSchool. Using stolen credentials from a contractor, the group targeted PowerSchool, threatening to sell or leak data of 62.4 million students and 9.5 million teachers unless paid a ransom. In December 2024, PowerSchool received a ransom demand for approximately $2.85 million in Bitcoin; the payment details remain unclear although a payment was made to prevent data leak. Even after the initial ransom was paid, the threat actors continued to extort individual school districts for additional payments. Lane also attempted to extort $200,000 from the breached telecommunications company, including threats against company executives. Lane faces a minimum sentence of two years for aggravated identity theft, with additional time for other charges.

Wisconsin-based mobile provider Cellcom experienced a significant service disruption starting May 14, 2025, due to a cyberattack. The incident primarily affected voice and SMS communications across Wisconsin and Upper Michigan, rendering many customers unable to call or text. Initially reported as a technical issue, Cellcom CEO Brighid Riordan later confirmed the nature of the disruption as a cyberattack. Despite the attack, critical data services such as iMessage, RCS messaging, and 911 emergency functions remained operational. The cyberattack was isolated to parts of the network that do not store sensitive customer information; no personal data breaches have been reported. Cellcom has engaged external cybersecurity experts, informed law enforcement, and is taking steps to restore services fully by the week's end. The company provided troubleshooting tips for subscribers struggling to regain services, including toggling airplane mode or restarting phones. Progress updates and additional recovery strategies are being communicated through Cellcom’s service update page and CEO video messages.

A critical privilege escalation vulnerability identified in the Motors WordPress theme, enabling unauthorized admin account control. Motors, developed by StylemixThemes, is heavily utilized in the automotive industry with over 22,300 sales on the Envato market. The vulnerability, tracked as CVE-2025-4322, allows attackers to modify user passwords without authentication. This flaw leads to potential risks such as malware injection, data theft, and redirecting visitors to malicious websites. StylemixThemes has released an update, version 5.6.68, to address this security issue. Users are urged to immediately upgrade their Motors theme through various supported methods to secure their sites. Despite its focused impact on a single theme, the severity of the vulnerability poses a serious security threat to affected websites.

VanHelsing ransomware-as-a-service operation's source code for various components leaked on a cybercrime forum. Old developer attempted to sell the source code for $10,000; includes the affiliate panel, data leak site, and Windows encryptor builder. Following the attempted sale, VanHelsing operators preemptively released part of the source code, aiming to undermine the developer's effort while announcing an upcoming updated version. The source code release by VanHelsing lacks the Linux builder and databases, making it less useful for law enforcement and security analysis. The leaked files contain functional codes for creating ransomware encryptors but are reported to be messy and require additional setup to use effectively. Leak includes potential tools for a new type of ransomware that manipulates the master boot record (MBR), possibly pointing to future attack methods by VanHelsing or others using its code. Past incidents of ransomware source code leaks, such as Babuk and Conti, have led to widespread adoption and usage by other criminals.

The VanHelsing ransomware-as-a-service (RaaS) operation experienced a data breach leading to the leak of its source code and affiliate panel on the RAMP cybercrime forum. A former developer, using the alias 'th30c0der', initially attempted to sell the ransomware builder for $10,000 before the operators themselves released it to preempt the sale. The leaked source included the builders for Windows encryptors and affiliate panel code but lacked the Linux builder and complete databases, which limits its utility for law enforcement and researchers. BleepingComputer confirmed the authenticity of the leak, which contains the operational builder for the Windows encryptor and other critical components required for launching ransomware attacks. The leakage of this source code could potentially enable other cybercriminals to develop their own versions or enhance existing ransomware tools, thereby posing increased risks globally. VanHelsing announced their intention to release an updated version of their ransomware, dubbed VanHelsing 2.0, in response to the source code leak. Similar incidents in the past, like the leaks of Babuk, Conti, and LockBit ransomware builders, have led to widespread use of these codes in subsequent cyberattacks.

SK Telecom, South Korea’s largest telecom operator, disclosed a malware breach impacting USIM data for 27 million subscribers, first detected on its network on April 19, 2025. The initial infection dates back to June 15, 2022, indicating that the malware remained undetected for nearly three years. Attackers gained access to sensitive information including IMSI numbers, USIM authentication keys, network usage data, and stored SMS/contacts, raising concerns for potential SIM-swapping attacks. In response to the breach, SK Telecom has committed to issuing SIM card replacements for all affected subscribers and has beefed up security measures to prevent unauthorized number porting. A recent government-led investigation revealed that 23 servers were compromised, exposing 25 different data types and identifying 25 distinct malware types within the impacted systems. Despite SK Telecom's denial, investigators found personal customer data including 291,831 IMEI numbers on 15 of the infected servers. SK Telecom has halted new subscriber intakes to manage the breach’s fallout and promises to assume full responsibility for any ensuing damages despite their preventive efforts.

A new vulnerability in OpenPGP.js allows for the spoofing of both signed and encrypted messages, jeopardizing the integrity of secure communications. Identified as CVE-2025-47934 with a severity rating of 8.7 (high), the flaw affects versions from 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0 of the OpenPGP.js library. Researchers from Codean Labs discovered the issue, which arises from specific functions in the library that fail to correctly verify message authenticity. Users are urged to update to the latest patched versions, 5.11.3 or 6.1.1, to mitigate the risk posed by this vulnerability. The detailed explanation of the exploit will be disclosed soon, following a common practice to delay proof of concept to allow time for updates. Daniel Huigens, head maintainer at Proton, the primary user of OpenPGP.js, recommends verifying all received messages scrupulously until patches are applied. The issue underscores the vulnerability of email services relying on OpenPGP, impacting potentially over 100 million Proton Mail accounts and other services using the standard.

Hazy Hawk has exploited abandoned cloud resources and misconfigured DNS records to hijack domains of reputable organizations for malware distribution. High-profile victims include the U.S. CDC, global government agencies, and major firms such as Deloitte and PwC, starting from December 2023. The threat actor utilizes these domains to redirect users to scams and malware through traffic distribution systems, effectively concealing malicious activities. Hijacked domains enhance credibility in search results, assisting in the evasion of security detection mechanisms. Attack strategies involve cloning legitimate site content and using redirection to deliver advertisements, scams, and fake applications. Techniques include employing browser notifications to perpetuate the cycle of scam and scareware exposure to victims. To mitigate such threats, domain owners are urged to remove DNS CNAME records promptly after a resource is discontinued and users are advised to reject notification requests from unfamiliar sources.