Daily Brief

Security flaw in O2 UK's VoLTE and WiFi Calling allowed location tracking through call metadata. Researched by Daniel Williams, the vulnerability persisted since March 2017 until its recent resolution. The breach leaked sensitive information such as IMSI, IMEI numbers, and cell tower locations. Williams used the Network Signal Guru app and public tools to pinpoint user locations accurately. O2 UK, with nearly 23 million mobile users, implemented the fix without requiring customer action. Virgin Media O2 confirmed the issue and its resolution, assuring no customer action needed. Uncertainty remains on whether O2 UK previously knew about the flaw or if any exploitation occurred.

Eric Council Jr., 26, from Huntsville, Alabama, was sentenced to 14 months in prison for initiating a SIM-swap scam that targeted the SEC's official social media account. Council and accomplices hijacked the SEC's X account and posted a fake announcement about government approval of Bitcoin ETFs, causing significant market fluctuations. The fraudulent post led to a temporary increase in Bitcoin's price by over $1,000; however, the value plummeted by more than $2,000 after the SEC regained control and issued a retraction. To execute the scam, Council used a fake ID at an AT&T store to obtain a new SIM card linked to the victim C.L.'s number, and subsequently accessed C.L.'s two-factor security codes. Incriminating searches by Council on his personal computer, including "SECGOV hack" and "how can I know for sure if I am being investigated by the FBI," were instrumental in his capture and conviction. The FBI highlighted the case as a deliberate attempt to deceive the public and manipulate financial markets, endangering trust in public communications platforms. Following his prison term, Council will undergo three years of supervised release, underscoring the legal penalties for cybercrimes involving identity theft and fraud.

Arla Foods, a major international dairy producer, confirmed a cyberattack at its Upahl, Germany facility, impacting local IT network and production. The incident caused disruptions, leading to potential product delivery delays or cancellations. Arla is actively working on resuming normal operations, with expectations to restore full functionality within the week. The cyberattack specifics, including whether data was stolen or encrypted, remain undisclosed by Arla. No reports have linked this incident to known ransomware groups or featured on extortion portals, leaving the attacker's identity unclear. This event affected only the Upahl location, with production at other Arla sites continuing unaffected. Arla has informed customers potentially affected by delivery issues resulting from the disruption.

The official website of RVTools was hacked to distribute a malicious installer for the VMware utility software. An infected installer was found sideloading a harmful DLL identified as the Bumblebee malware loader. The extent of the infection and the duration of the compromised installer's availability are unknown. RVTools has cautioned users against downloading their software from any sources other than their official websites. A separate malware threat through Procolored printer software included a backdoor and a clipper malware capable of cryptojacking. The clipper malware, SnipVex, intercepted and altered Bitcoin wallet addresses in clipboard data to reroute transactions. Procolored has acknowledged the issue, stating the source might have been infected USB drives used in October 2024. Despite the command and control server for the backdoor being offline since February 2024, the clipper malware remains active and damaging.

The UK Legal Aid Agency (LAA) confirmed the theft of extensive applicant data in a recent cyberattack, originally believed to be less severe. This breach affected records dating from 2010, compromising sensitive personal information of those who applied for legal aid. The LAA, an arm of the UK Ministry of Justice, provides crucial legal services to individuals unable to afford legal representation. Following the breach discovery on May 16, immediate measures included securing all LAA systems with assistance from the National Cyber Security Centre and temporarily shutting down the online application platform. The UK government urges all legal aid applicants to be cautious of potential scams and to verify communications before sharing personal information. LAA’s CEO, Jane Harbottle, expressed deep regret over the incident and committed to providing ongoing updates and addressing the breach's implications. It is still unclear if the data theft at the LAA is connected to recent attacks on UK retailers by a group using DragonForce ransomware.

Ransomware actors have adopted Skitnet malware for advanced data theft and remote control of targeted systems. Skitnet, also referred to as Bossnet, was first sold on the dark web in April 2024 and has been actively used in attacks since early 2025. The malware's complex design uses languages like Rust and Nim to evade typical security detections by launching a reverse shell over DNS. Skitnet includes capabilities for persistence, remote access, command execution, data exfiltration, and delivering additional payloads. Notable usage includes a Black Basta phishing campaign in April 2025, which targeted enterprise environments via Teams-themed emails. The malware facilitates stealth by dynamically resolving API function addresses and can manage infected hosts via a command-and-control panel. Concurrently, another malware, TransferLoader, targets US law firms and also features advanced evasion and management techniques.

Pwn2Own Berlin 2025 concluded with security experts exploiting 29 zero-day vulnerabilities, earning a total of $1,078,750. Competitors targeted advanced enterprise technologies across various categories, including AI, browsers, virtualization, servers, and automotive. The event featured rigorous conditions with all devices updated and running the latest OS versions, including contributions from Tesla with their latest models. STAR Labs SG emerged as the top team, securing 35 Master of Pwn points and $320,000 by exploiting systems like Red Hat Enterprise Linux and VMware ESXi. The highest individual reward of $150,000 went to Nguyen Hoang Thach from STAR Labs for an integer overflow exploit in VMware’s ESXi software. Early patches were issued by Mozilla for two exploited zero-days in Firefox, reinforcing the prompt response benefit of the competition's disclosure policy. The disclosed vulnerabilities are held privately for 90 days, giving vendors a window to patch before public release by TrendMicro's Zero Day Initiative. The competition underscored the critical role of ethical hacking in strengthening cybersecurity defenses across multiple technology domains.

Mozilla addressed two critical Firefox zero-day vulnerabilities immediately following their demonstration at the Pwn2Own Berlin 2025. The vulnerabilities impacted both desktop and Android versions of Firefox and related Extended Support Releases. CVE-2025-4918 involved an out-of-bounds read/write issue in the JavaScript engine with Promise objects, unveiled by Palo Alto Networks researchers. CVE-2025-4919 allowed out-of-bounds reads/writes by manipulating array index sizes, discovered by researcher Manfred Paul. Even though no sandbox escapes occurred, Mozilla credited recent enhancements to the Firefox sandbox for preventing further exploitability. The disclosed zero-days prompted the formation of a global task force by Mozilla to quickly develop and deploy fixes. Firefox users are urged to update their browsers to the latest versions as recommended by Mozilla to mitigate potential exploitation risks. The incident underlines the ongoing significance of high-profile security competitions like Pwn2Own in uncovering vulnerabilities.

The UK's Legal Aid Agency, sponsored by the Ministry of Justice, experienced a significant data breach with cybercriminals stealing a "significant amount of personal data" dating back to 2010. Stolen data includes contact details, home addresses, dates of birth, national ID numbers, criminal histories, employment statuses, and detailed financial records. The breach was first detected on April 23, but it was not until May 16 that the full extent of the data accessed was understood, revealing a much greater impact than initially expected. The attack could potentially affect all individuals who applied for legal aid from 2010 to 2025, advising them to be vigilant of suspicious activities and to update security measures like passwords. In the last reported year (April 2023 to March 2024), 388,888 legal aid applications were made, indicating a wide scope of potential data exposure. The Ministry of Justice and the National Cyber Security Centre are working together to enhance security post-incident and guide the public on scam protection. The legal aid agency has taken its online services offline to protect further data and implement security improvements. Legal aid applicants and providers are urged to stay alert and await further updates as the investigation continues and remedial actions are undertaken.

Continuous Threat Exposure Management (CTEM) has become a strategic enabler for Chief Information Security Officers (CISOs), moving from a conceptual framework to a cornerstone of cybersecurity programs. CTEM integrates tools such as Adversarial Exposure Validation (AEV), External Attack Surface Management (ASM), autonomous penetration testing, red teaming, and Breach and Attack Simulation (BAS) to proactively manage and reduce security risks. The approach shifts from periodic security assessments to continuous, real-time threat exposure management, enhancing the alignment of security efforts with business objectives. Gartner predicts that by 2026, organizations implementing CTEM will be three times less likely to experience a data breach, underlining the effectiveness of the strategy. The methodologies within CTEM enable security teams to discover, prioritize, and monitor digital assets continuously, thus expanding visibility and improving the scalability and efficiency of security operations. The integration of AI and automation within AEV and autonomous penetration testing allows for more effective replication of real-world attacker behaviors and proactive identification of exploitable exposures. CTEM helps bridge the gap between security investments and business priorities, assisting CISOs in driving measurable, outcome-based security initiatives. The rapid adoption of CTEM across enterprises is attributed to increasing cyber risks, regulatory pressures, and the expanding digital footprints of businesses, necessitating a shift towards a more dynamic and proactive cybersecurity approach.

Mozilla has issued updates for Firefox to address two critical vulnerabilities discovered during the Pwn2Own Berlin contest. The vulnerabilities could allow attackers to access sensitive data or execute code by exploiting out-of-bounds read or write issues. CVE-2025-4918 and CVE-2025-4919 were the security flaws exploited, each awarded $50,000 at the event. The flaws affect several versions of Firefox, emphasizing the need for users to update their browsers promptly. Exploited vulnerabilities highlight the risks associated with web browsers as targets for malware attacks. Security experts Edouard Bochin, Tao Yan from Palo Alto Networks, and independent researcher Manfred Paul identified the vulnerabilities.

Microsoft addressed a total of 78 security flaws in its latest Patch Tuesday update, with five categorized as zero-day vulnerabilities actively exploited in the wild. The specific CVEs include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709; details regarding the exploitation context, perpetrators, and targets remain undisclosed. The report from Wiz Threat Research highlights the importance of securing code repositories and development pipelines, revealing common vulnerabilities and attacker strategies. The article emphasizes the necessity for continual vigilance in updating software to protect against newly discovered vulnerabilities and to mitigate the risks of major breaches. Key tools and strategies for detecting hidden threats in seemingly safe files are discussed, including the use of Sysmon and Sigma rules for Windows, and grep or find commands for Linux/macOS. The cyber security landscape demands a unified approach connecting AppSec, cloud, and SOC teams to seal security gaps and enhance response times against attacks. The ongoing challenge for cybersecurity isn't just to react to threats but to proactively integrate resilience and comprehensive oversight in organizational security practices.

UK National Health Service (NHS) cybersecurity leaders have issued a public charter, urging tech vendors to pledge better security practices. Recent ransomware attacks have repeatedly targeted the NHS and its supply chain, escalating concerns about endemic cyber threats. The charter aims to enhance cyber resilience via collaboration, focusing on vendors servicing clinical systems and handling sensitive NHS data. Signatories of the charter are encouraged but not legally bound to the commitments, which detail measures to align with NHS cybersecurity goals. The initiative comes as the UK prepares to introduce the Cyber Security and Resilience Bill, aimed at strengthening protection of critical supply chains. NHS plans to include cyber security requirements in future contracts and ensure compliance through assurance processes and contractual terms. Several severe cyber incidents in the past year have disrupted critical healthcare services, revealing urgent needs for improved security measures at the board level.

The Alabama state government is currently grappling with an unspecified cybersecurity event which has compromised some state systems. However, it has not led to any significant disruptions in state services, and no personal information of citizens appears to be compromised. The event was detected when unauthorized individuals accessed some state employees’ credentials; external cybersecurity consultants are now assisting with system restoration. A separate case involves Liridon Masurica who was extradited to the US for operating BlackDB.cc, an illicit online marketplace selling stolen data, now facing up to 55 years in prison if convicted on all charges. Andy Frain Services, a security and event planning firm, reported a breach affecting nearly 101,000 individuals by the Black Basta ransomware gang, which claims to have stolen 750 GB of data including human resources files. Russian-backed cyber group Fancy Bear (APT28) has initiated a renewed cyberattack campaign against Ukraine, employing spear-phishing to exploit vulnerabilities in webmail servers. Europol has disrupted a significant online investment fraud network that tricked investors in several countries into losing over €3 million through a deceptive trading platform. National cyber defense capabilities are questioned as cuts in funding, specifically a $10 million reduction to the MS-ISAC, potentially limit effective response and preventative measures against such cybersecurity events.

China's Guoxing Aerospace deployed twelve satellites equipped with advanced AI capabilities aimed at astronomical and emergency services applications. The satellites form part of a planned constellation of 2,800, featuring high-speed laser communication links and significant computing power. South Korea announced purchasing a state-of-the-art supercomputer from HPE for enhanced research capabilities and also plans to buy 10,000 GPUs to boost local tech innovation. US-imposed tariffs are predicted to slow tech spending growth in the Asia-Pacific region, impacting IT investments and raising costs due to supply chain disruptions. India's HCL Technologies, in partnership with Foxconn, received approval to build a semiconductor plant focused on producing display driver chips. Japan enacted a new law allowing for active cyber defense measures, marking a shift in policy by permitting offensive cyber capabilities and mandating critical infrastructure to report security incidents.