Daily Brief

VanHelsing, a new ransomware-as-a-service (RaaS) operation, began its malicious activities on March 7, 2025, and has already claimed three victims. It utilizes a dual attack approach involving data theft before encryption, subsequently threatening to release stolen data unless a ransom is paid. The service appeals to a broad range of cybercriminals by providing a user-friendly control panel accessible on multiple devices and operating systems, including Windows, Linux, and more. Entry into the VanHelsing RaaS program requires a $5,000 deposit for new affiliates, while established partners may join for free, with affiliates typically retaining 80% of any ransom collected. The ransomware specifically avoids targeting the Commonwealth of Independent States (CIS), following a common practice in the cybercrime ecosystem to not attack entities within these nations. VanHelsing encrypts files, customizes them with a ".vanhelsing" extension, alters desktop wallpapers, and displays a ransom demand, pushing victims to pay in Bitcoin. CYFIRMA reports that the manufacturing, government, and pharmaceutical sectors in the U.S. and France are among those impacted by these ransomware attacks. This trend aligns with a global increase in ransomware incidents, with February 2025 cited as a record month of 962 attacks, signaling a spike in remote encryption tactics by cybercriminals.

23andMe initiated Chapter 11 bankruptcy proceedings in the Eastern District of Missouri, citing financial challenges and legal liabilities from a significant 2023 cyberattack. The company plans to sell its assets under court supervision, aiming to maximize value and address its operational and financial obstacles. Court-approved debtor-in-possession financing secures $35 million to fund operations and maintain payments to staff and vendors during the asset sale process. CEO Anne Wojcicki stepped down but will remain on the board; faced with ongoing financial instability and failed attempts to take the company private. 23andMe has struggled financially since its inception in 2006, never achieving profitability, with its recent cyberattack exacerbating its financial insecurity. The bankruptcy filing will handle the resolution of a $30 million settlement from a class-action lawsuit due to the data breach, underscoring the cyberattack's severe impact. California's attorney general has advised state residents to manage their personal data with 23andMe proactively, reflecting heightened data privacy concerns. Despite the bankruptcy and leadership change, 23andMe will continue to operate normally until the asset sale is concluded.

The Acronis Threat Research Unit analyzed security for over 300,000 Microsoft 365 seats, revealing substantial vulnerabilities. Despite Microsoft's built-in security features, the sole reliance on these measures exposes backups to attacks. Detected malicious elements indicate that Microsoft 365's native security is insufficient against modern cyber threats. Persistent threats within the backup data could lead to repeated system re-infections and ongoing security breaches. Microsoft’s "shared responsibility" model emphasizes user accountability for securing data within the cloud infrastructure. The study highlights the necessity for organizations to adopt comprehensive third-party security solutions to bolster defenses. Recommendations for Managed Service Providers (MSPs) and IT teams include implementing a full spectrum of security measures to maintain business continuity and resilience.

The U.S. Treasury Department recently reversed sanctions on Tornado Cash, a cryptocurrency mixer originally sanctioned for laundering over $7 billion, including funds from North Korea's Lazarus Group. Despite lifting sanctions, the U.S. continues to express significant concerns about the misuse of Tornado Cash and the ongoing state-sponsored cyber activities primarily from North Korea. The decision to lift sanctions follows a federal appeals court ruling challenging the Treasury’s authority to ban the crypto mixer’s smart contracts. Two co-founders of Tornado Cash faced indictments in the U.S. for facilitating criminal proceeds, with one still on the FBI's wanted list. This policy reversal aligns with broader changes in the administration's approach to cryptocurrency regulation, including SEC discussions on applying securities laws to digital assets. The U.S. Securities and Exchange Commission (SEC) opted not to appeal a legal decision favoring Ripple Labs in a significant case about the classification of cryptocurrencies, affecting XRP's market value positively. Bipartisan political support grows around cryptocurrency regulation, evidenced by discussions and updates to the GENIUS Act concerning stablecoins. The U.S. remains vigilant in monitoring crypto transactions that could support malign actors or benefit DPRK, with a continued focus on using legal powers to disrupt these activities.

A manipulation in an open-source GitHub tool led to a widespread supply chain compromise, initially targeting a Coinbase project. The subsequent campaign leaked crucial CI/CD secrets across numerous repositories, suspected to be a financially motivated attack aimed at cryptocurrency theft. A new comprehensive malware is silently capturing passwords, cryptocurrency information, and taking over systems while remaining undetected. Over 300 Android applications were discovered conducting ad fraud, disguising their malicious activities behind regular app icons. Ransomware groups are enhancing their methods by utilizing stolen drivers to disable security systems. Recent transitions include threat groups moving from activism to for-profit activities, and trusted browser extensions being converted into tools for cyber attacks. Both attackers and defenders are increasingly adopting AI technologies to advance their tactics amidst this evolving cyber threat landscape. Critical security advisories urge prompt updates to prevent exploitation, highlighting vulnerabilities in software ranging from infrastructure management to content management systems.

Two malicious extensions in the Visual Studio Code (VSCode) Marketplace were discovered deploying early-stage ransomware. The extensions, named "ahban.shiba" and "ahban.cychelloworld," have been removed by marketplace maintainers after the discovery by ReversingLabs. The malicious code within these extensions was designed to execute a PowerShell command which fetched and ran a ransomware script from a remote server. The ransomware targeted files in a specific desktop folder ("testShiba"), encrypting them and demanding ransom in ShibaCoin. Indications suggest the ransomware was under development, evident from the lack of complete ransom details provided to victims. This incident follows the reporting of malicious Zoom-like extensions and a malicious Maven package that exfiltrates OAuth credentials periodically. Attackers employed typosquatting tactics to enhance the perceived legitimacy of their malicious offerings, potentially misleading developers to integrate these into projects.

Most users prefer seamless user experiences over stringent security protocols, often compromising password security. High user friction can lead to non-compliance with security measures, increasing cyber risk through behaviors like password reuse or sharing. Effective user experience (UX) designs in security protocols can enhance compliance and minimize disruptions, improving overall cybersecurity. Implementing user-friendly password policies, such as promoting passphrases over complex passwords, can improve security and usability. Providing dynamic feedback during password creation and handling forced resets gracefully can help reduce user frustration. Security teams should consider password aging strategies that adjust required changes based on password strength, optimizing both security and UX. The adoption of nuanced password policies can help organizations maintain robust security while improving user satisfaction and compliance.

Microsoft introduced a new requirement for bug reporters to include videos along with their submissions, leading to unintended consequences. A developer showcased frustration through a 15-minute video that didn't add value beyond the initial bug report, highlighting inefficiency in the new system. The change was presumably meant to reduce low-quality submissions but has instead been perceived as a barrier, taxing developers' time and resources. This scenario reflects larger issues with tariffs and how they can inadvertently demotivate valuable feedback and contribute to inefficiency. The article compares this incident to wider economic implications of tariffs, like Brexit, emphasizing how poor planning and execution can lead to substantial negative outcomes. The piece suggests that better training in bug reporting could be a more productive solution rather than imposing additional burdens on reporters.

A critical security vulnerability, CVE-2025-29927, has been identified in Next.js, affecting middleware authorization checks. The vulnerability has a high severity with a CVSS score of 9.1, indicating significant risk potential. Attackers could exploit this flaw to skip middleware and access restricted areas of the web application, such as admin pages. Next.js versions impacted include 12.3.5, 13.5.9, 14.2.25, and 15.2.3; patches are available to address this issue. If unable to patch promptly, users should block requests containing the "x-middleware-subrequest" header, which is exploited in attacks. Researcher Rachid Allam (aka zhero or cold-try) discovered and reported the flaw, and has since published technical details, heightening the urgency for patches. Websites relying solely on middleware for user authorization and not employing secondary checks are particularly vulnerable.

Europol's recent report indicates a profound shift in organized crime, heavily integrating digital technology including AI. Organized crime now routinely involves digital components, making illegal activities such as human smuggling and drug trafficking more sophisticated and difficult to detect. Criminal networks are leveraging digital platforms, illicit financial flows, and geopolitical instability to expand their influence across the globe. The report emphasizes that the evolution of organized crime undermines EU institutions and societal cohesion, posing a significant threat. Europol warns that criminal networks might be serving as proxies for hybrid threat actors, possibly including state-aligned groups, to mutually enhance their capabilities. The inclusion of state-of-the-art technology and AI tools in criminal operations allows these networks to operate more efficiently and evade law enforcement efforts. The adoption of AI by these networks underscores a need for law enforcement agencies to advance their technological capabilities to effectively counter these threats.

China's Cyberspace Administration and Ministry of Public Security have introduced new regulations prohibiting the compulsory use of facial recognition technology and its usage in private areas such as hotel rooms and public facilities. Organizations wishing to use facial recognition must perform a personal information protection impact assessment, secure explicit consent, and implement data encryption for biometric data. The rules exempt research and algorithm training activities, potentially allowing the continued use of facial images for AI model training without broader consent. India has crowned Zoho's Ulaa as the top national web browser through a government-backed competition, enhancing local digital autonomy and security. Taiwanese critical infrastructure faced cyberattacks from a group identified as UAT-5918, featuring tactics similar to those of possibly state-backed Chinese hacking groups. X (formerly Twitter) has initiated legal action against the Indian government, challenging content takedown laws that they argue suppress freedom of speech. Japan debates a contentious cybersecurity law aiming for active defense measures, including potential offensive cyber operations while ensuring the protection of personal privacy. The Australian Strategic Policy Institute reports harassment following critical research publications on China, with allegations of targeted online abuse against its staff.

Oracle refutes allegations that its cloud services were breached and customer data stolen, despite online sale of purported security keys and sensitive data. An unknown entity advertised on a cyber-crime forum claiming they had obtained data from Oracle Cloud’s single-sign-on servers by exploiting a vulnerability. Oracle insists there was no breach, stating that no customer data was lost and the credentials for sale do not pertain to their cloud services. Evidence was provided by the seller indicating a compromised Oracle server, including a text file created as proof of the breach. Security experts suggest the server may have been vulnerable due to an unpatched critical flaw in Oracle Fusion Middleware's Access Manager. The purported stolen data includes Java KeyStore files, encrypted passwords, and other sensitive information, potentially impacting thousands of customers. The seller, identified as rose87168, reportedly demanded over $200 million in cryptocurrency from Oracle to reveal details of the breach, which Oracle refused. Rose87168 also shared a list of domains of the affected companies, offering to withhold their data from sale for a ransom.

Cybercriminals exploit Microsoft Trusted Signing service by signing malware with three-day certificates. Signed malware potentially bypasses security systems, appearing as legitimate, due to the signing reputation. The misuse involves a Microsoft-run certification authority and affects new Microsoft ID Verified codes. Recent campaigns like Crazy Evil Traffers and Lumma Stealer have seen utilization of this compromised method. The service, designed to streamline application security practices for developers, has inadvertently provided a new tool for cyber criminals. Microsoft has implemented measures such as revocation of misused certificates and account suspension to combat this abuse. Despite checks, the ease of obtaining and the transient validity of certificates make them attractive for illegal uses. Microsoft continues to monitor for certificate misuse through threat intelligence to prevent future abuse.

The FBI has issued warnings about fraudulent online file converters being used to deploy malware and steal sensitive information. Cybercriminals create websites that appear legitimate, offering services to convert or merge files, which can actually load malware onto users' devices. These malicious tools can scrape uploaded documents for personal data like social security numbers, banking details, and passwords. Reports of these scams have been made to IC3.gov, including one from a public sector entity in metro Denver. Scammers also use deceptive practices in search engine algorithms to promote their fraudulent tools, tricking users looking for legitimate file conversion services. Malicious software associated with these scams can include ransomware, banking trojans, info stealers, and other post-exploitation tools capable of extensive network breaches. The FBI advises the public to research file conversion tools thoroughly and to check user reviews before downloading to avoid falling victim to these scams.

Former NSA head Mike Rogers highlighted Russia's decreased visibility in U.S. election meddling, attributing it to increased U.S. election security measures. Rogers shared insights on the uncertain future of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) amid suggestions to refocus its mandate away from misinformation. Persistent engagement with adversaries has been a cornerstone strategy for U.S. Cyber Command, enhancing situational awareness and intelligence. The U.S. government plays a critical role in national cybersecurity, leveraging its unique capabilities, intelligence, and regulatory powers. In his post-NSA career, Rogers is focusing on integrating cybersecurity within fintech and healthcare sectors through his role at Team8. Rogers also commented on the current and potential future impacts of AI on cybersecurity, noting its stronger application in offensive rather than defensive strategies.