Daily Brief

Google announced new AI-powered scam detection features for Android, targeting conversational scams and enhancing user security. The detection tools use sophisticated AI models to identify suspicious patterns and offer real-time alerts, working entirely on-device. This initiative includes a collaboration with financial institutions to analyze common scam tactics faced by customers. The feature alerts Android users about potential scams from phone numbers not listed in their contacts, with options to dismiss, report, or block the sender. Users are assured of their privacy as conversations remain private unless a chat is reported as spam; then, only sender details and recent messages are shared. The scam detection capability is initially available in English in the U.S., U.K., and Canada, with plans to expand to more regions and languages. Google also expanded similar features for phone calls to Pixel 9+ users in the U.S., enhancing call security with optional scam detection alerts. The rollout aligns with broader Google security enhancements, such as Enhanced Protection in Chrome, leveraging AI to protect against phishing and dangerous downloads.

Leeds United's retail website was targeted by cybercriminals between February 19 and 24, leading to the theft of customer card details. A limited number of customers affected by the data theft were directly notified by the club. The club has engaged in dialogue with the UK's Information Commissioner's Office (ICO) in response to the breach. A third-party forensic team was consulted to investigate the breach and implement security measures to prevent future incidents. Despite existing cybersecurity efforts, Leeds United expressed disappointment over the breach's success and extended apologies to those impacted. Cybersecurity advisor Jake Moore highlighted that the attackers likely captured card details from each transaction during the breach period. Moore emphasized the necessity of robust security and vigilant monitoring to protect financial data on websites. The English Football League (EFL) has also issued warnings following separate cyberattacks and phishing incidents involving other football clubs.

The shift to cloud services and remote work has increased the complexity and vulnerability of enterprise tech ecosystems. Identity is the major vulnerability and prime target for cyber attacks, highlighted as the core attack vector in the 2024 Verizon Data Breach Report. Modern businesses are encouraged to centralize Identity management across all systems to enhance security and operational efficiency. Centralized Identity platforms offer comprehensive visibility, powerful orchestration, and broad integration capabilities to strengthen defense mechanisms. An effective Identity solution provides not only real-time insights and automated threat responses but also seamless integration with existing tech stacks. Integrating Identity management is proposed as a proactive, foundational strategy in cybersecurity to prevent breaches and minimize risks. The article advocates for an Identity-first security approach to manage and secure disparate applications and systems without security gaps.

Lotus Panda, a suspected Chinese hacking group, has targeted government and other sectors across Asia with the Sagerunex backdoor. The group has enhanced Sagerunex with new variants for heightened evasion and persistent access. Sagerunex exploits legitimate services like Dropbox and Zimbra for command-and-control operations, masking malicious activity. The malware collects encrypted data from the host and exfiltrates it, also allowing remote control by interpreting commands housed in Zimbra emails. Other tools used in these campaigns include a cookie stealer, privilege management software, and a proxy utility named Venom. Lotus Panda has adapted its infiltration techniques to overcome network restrictions, using native proxy settings or the Venom tool. Detailed by Cisco Talos, these revelations follow prior exposure by Symantec, with attacks increasingly sophisticated since 2009.

Qilin ransomware group claimed recent attacks on a cancer clinic in Japan and a U.S. OB-GYN facility, leaking sensitive patient information. The gang previously caused significant disruption across NHS facilities in the UK, impacting pathology labs and healthcare delivery. On February 18, Qilin attacked Utsunomiya Central Clinic in Japan, stealing 140 GB of data including patient PII, medical histories, and scan images. The following day, Rockhill Women’s Care in Kansas City was hit, with 20 GB of documents leaked online, revealing extensive patient details. Qilin’s actions have led to healthcare service interruptions and compromised the personal data of roughly 300,000 patients at the Japanese clinic. Despite ongoing technical difficulties due to the cyberattack, Rockhill Women’s Care has not publicly confirmed the cybersecurity event. The ransomware group has been connected to multiple high-profile attacks on sensitive organizations, including The Big Issue aimed at aiding homeless individuals. Unlike other ransomware groups that occasionally show restraint, Qilin, believed to be Russian-based, consistently targets critical healthcare services without remorse.

Endpoint devices are frequently targeted by cyber criminals, with reports indicating up to 90% of cyberattacks and 70% of data breaches originating from these devices. The average global cost of a data breach is estimated at USD 4.88 million per incident, emphasizing the financial impact of security lapses. Nearly half of the organizations surveyed are willing to pay ransoms to resolve cybersecurity threats, highlighting the increasing challenge of ransomware attacks. IGEL’s Preventative Security Model aims to reduce the attack surface by up to 95% through integrated security frameworks and endpoint management across diverse hardware platforms. This model supports a Zero Trust approach and optimizes endpoint systems for SaaS and virtual environments, potentially saving up to 75% in endpoint total cost of ownership. By centralizing endpoint security and reducing the need for multiple security tools, the IGEL model also boosts productivity, with one healthcare client reporting significant time savings for nurses. The preventative model relies on advanced security strategies including shifting Windows to cloud-based virtual desktops, enhancing both security and device lifespan while decreasing e-waste.

Cybersecurity researchers have detected a malicious campaign that exploits the Go programming ecosystem, targeting Linux and macOS systems. At least seven typosquatted Go packages have been identified, mimicking popular libraries, one specifically aimed at developers in the financial sector. The infected packages are designed to execute remote code through shell commands and retrieve scripts from a remote server after a delay to avoid detection. The primary intention behind these attacks is to deploy executables capable of stealing sensitive data or credentials. Although the offending packages remain available on the official Go package repository, the associated GitHub repositories have mostly been taken offline. The techniques used include repeated malicious filenames, array-based string obfuscation, and delayed execution, indicating a sophisticated and coordinated threat actor. The discovery follows a recent revelation of another similar attack within the Go ecosystem, highlighting an ongoing threat and the need for heightened security measures. The infrastructure used by the attackers provides resilience and adaptability, suggesting a long-term strategy with multiple fallback options.

Scammers are using the U.S. Postal Service to send fake ransom notes to CEOs of U.S. companies, falsely claiming to be from the BianLian ransomware group. These letters, marked as "Time Sensitive Read Immediately," are tailored to each company's industry, falsely alleging theft of sensitive data like customer and employee information. The fraudsters demand payments ranging from $250,000 to $500,000 in Bitcoin to prevent the alleged leakage of data, with exact details and a QR code included in the notes. While the notes mimic the format used by ransomware groups, including using real data leak sites to enhance credibility, they do not represent actual data compromises or involvement by the BianLian group. Some letters include compromised passwords to make the claim seem more legitimate, although the intent is to extort money through fear rather than actual data exposure. GuidePoint Security and Arctic Wolf, among other security firms, advise that these notes are indeed scams and should not cause panic, though they should be reported and taken seriously by corporate security teams. This scheme represents an evolution in cyber extortion tactics, shifting from digital communication to more traditional postal means to target high-level corporate executives.

Tata Technologies, a subsidiary of Tata Motors, has reportedly been targeted by the ransomware gang Hunters International. The attackers claim to have stolen 730,160 files (1.4 TB of data) and are threatening to publish it unless a ransom is paid. Tata Technologies has not publicly responded to the ransom demand or confirmed contact with the criminals. The company had earlier reported a "ransomware incident" in a mandatory filing with the Indian stock exchange. In response to the incident, Tata temporarily suspended some IT services, which have since been restored, ensuring that client delivery services remained unaffected. A detailed investigation is ongoing with expert consultation to identify the root cause and implement necessary remedial actions. Hunters International, possibly a rebranded version of the previously known Hive gang, targets high-profile entities and has been linked to other significant cyberattacks. Prior interactions include an attack on another Tata subsidiary, Tata Power, where data was published online after ransom demands were unmet.

New research reveals connections between the Black Basta and Cactus ransomware groups, with both utilizing similar malware and techniques. Analysis uncovered the use of BackConnect, a proxy malware related to Qbot, facilitating remote access without detection. Black Basta, emergent in April 2022, reportedly contains former members of the Conti Ransomware gang. Following a police crackdown on Qbot, Black Basta and Cactus started employing new methods, like social engineering via Microsoft Teams and Windows Quick Assist for network breaches. Research by Trend Micro found overlapping tactics and technical markers between Black Basta and Cactus attacks, hinting at potential member crossover or rebranding. Links between Black Basta and Cactus were further corroborated by shared use of command and control servers and encryption routines. Black Basta's recent inactivity and the shutdown of its leak site suggest a possible disbandment or transition of members to other ransomware groups like Cactus.

Nokia researchers have identified a new botnet malware, Eleven11bot, which has compromised over 86,000 IoT devices including security cameras and network video recorders to perform DDoS attacks. The botnet is allegedly linked to Iran and has targeted telecommunication providers and online gaming servers with DDoS attacks, reaching hundreds of millions of packets per second. Eleven11bot's distribution mechanism includes brute-forcing devices with weak or default admin credentials and scanning for exposed Telnet and SSH ports. Over 1,400 IP addresses connected to this botnet have been documented in the past month, with the majority based in Iran, and many are flagged as malicious. Devices primarily infected are located in the United States, the United Kingdom, Mexico, Canada, and Australia. Security experts advise updating IoT devices, changing default credentials, disabling unnecessary remote access, and monitoring for signs of compromise. Blocking IPs related to the Eleven11bot and regular checks for device end-of-life status are recommended to mitigate risks and potential attacks.

Broadcom released patches for three critical vulnerabilities in VMware products, including ESXi and vSphere. The bugs were actively exploited, allowing attackers to escape from a guest VM to the host system. Microsoft identified the vulnerabilities, which can be chained to gain control over the hypervisor. The most severe vulnerability, CVE-2025-22224, allows code execution with a 9.3 CVSS score. Attackers need administrative privileges on the VM to exploit these vulnerabilities. VMware sysadmins urged to apply updates immediately due to risks of ransomware attacks. The security holes have been known to be exploited by notorious ransomware groups. Broadcom has yet to disclose the extent of the exploitation or the identities of the attackers.

Cisco alerted customers about a vulnerability in Webex for BroadWorks that could allow unauthenticated, remote attackers to access sensitive data and credentials. The issue affects Webex for BroadWorks Release 45.2 in on-premises and hybrid cloud/on-premises environments, specifically those running on Windows. Sensitive information was found exposed in SIP headers due to misconfiguration of secure transport protocols. Cisco has implemented a configuration change to rectify the flaw and advised customers to restart their Webex apps to ensure the update is applied. As a temporary measure, Cisco recommended that administrators configure secure transport for SIP communications to encrypt data in transit and suggested credential rotation as a precaution. The vulnerability has not been assigned a CVE ID yet and there is no evidence of exploitation in the wild or public disclosures of the vulnerability. In contrast, another Cisco flaw (CVE-2023-20118) in certain VPN routers was recently reported as actively exploited, emphasizing ongoing security challenges.

Google is enhancing AI-powered scam detection features for Android to tackle sophisticated social engineering scams via phone and text. New features detect and warn users about conversational scams that evolve from benign interactions to potentially harmful ones. Traditional spam protections are not equipped to handle these scams, which often involve spoofed numbers and manipulative tactics. Partnerships with banks have informed the development of these AI models, aiming to recognize and counter the latest scam techniques. Scam Detection for Messages will warn of various scams, including job and delivery lures, and is activated for messages from unknown numbers. The call security feature, Gemini Nano, offers real-time scam analysis during phone calls and is initially available to English-speaking Pixel users in the U.S. These features preserve privacy by analyzing data on the device itself, without transferring sensitive information to Google. While Message Scam Detection is automatically enabled, the call feature requires manual activation due to privacy considerations.

Researchers have identified that the tactics of the CACTUS ransomware group mirror those previously used by Black Basta affiliates, suggesting a migration or shift in affiliate allegiances. Both ransomware families, Black Basta and CACTUS, utilize a BackConnect module that provides persistent remote control over infected hosts, facilitating data theft and command execution. The BackConnect module, also known as QBACKCONNECT, was first documented in detail by Walmart's Cyber Intelligence team and Sophos in January 2025. Cybercriminals employing the Black Basta ransomware have used strategies like email bombing to install malware through channels disguised as IT support. Similarly, the CACTUS group has adopted these techniques to deploy their ransomware, but with additional post-exploitation actions such as lateral movement and data exfiltration. However, CACTUS group's recent ransomware attack attempts to encrypt network data were unsuccessful. The operational overlap and shared tactics between these groups have come under scrutiny following leaks of Black Basta's internal communications, revealing shared credentials and tactics. Popular initial access points for these threat actors include Remote Desktop Protocol (RDP) and VPN endpoints, often exploited to gain entry into targeted networks.