Daily Brief

U.S. law enforcement, with international partners, dismantled E-Note, a cryptocurrency exchange implicated in laundering over $70 million from ransomware and account takeover attacks. The FBI identified E-Note as a key player in transferring illicit proceeds since 2017, involving a network of international "money mules." Authorities seized E-Note's servers, domains, and mobile apps, disrupting a major channel for cybercriminal financial operations. The U.S. Attorney’s Office indicted Mykhalio Petrovich Chudnovets, a Russian national, on charges of money laundering conspiracy, potentially facing a 20-year prison sentence. The confiscation of customer databases and transaction records may aid in identifying additional cybercriminals and users of the E-Note service. This operation demonstrates the effectiveness of international collaboration in targeting and dismantling cybercriminal infrastructure. The case highlights the ongoing challenge of cryptocurrency exchanges being exploited for laundering illicit funds from cybercrime activities.

The EU's NIS2 Directive mandates enhanced cybersecurity measures for medium and large organizations in 18 critical sectors, effective from January 2023, with national law implementation by October 2024. Organizations with over 50 employees or annual revenues exceeding €10 million must comply, facing penalties up to €10 million or 2% of global turnover for non-compliance. NIS2 emphasizes identity and access management, requiring robust policies to prevent unauthorized access, as compromised credentials are involved in 80% of breaches. Strong password policies now prioritize length over complexity, aligning with NIST guidelines, and discourage mandatory rotation unless evidence of compromise exists. Multi-factor authentication (MFA) is strongly recommended, especially for privileged access, to provide an additional security layer against automated attacks. Organizations are advised to implement phishing-resistant MFA and focus on scalable processes and tools to meet NIS2 requirements effectively. Specops Software offers expertise in aligning authentication controls with NIS2, providing tailored solutions to enhance security without overwhelming IT teams.

Hewlett Packard Enterprise has addressed a critical vulnerability in its OneView software, identified as CVE-2025-37164, which could allow remote code execution by unauthenticated users. The vulnerability, with a CVSS score of 10.0, affects all OneView versions prior to 11.00, necessitating immediate patching to prevent potential exploitation. HPE has released a hotfix for OneView versions 5.20 through 10.20, which must be reapplied following certain upgrades or system reimaging operations. Separate hotfixes are available for both the OneView virtual appliance and Synergy Composer2, ensuring comprehensive coverage across affected systems. Although there is no current evidence of the vulnerability being exploited in the wild, prompt application of patches is crucial for maintaining security. This incident follows HPE's recent updates in June, which addressed multiple vulnerabilities in its StoreOnce solution, highlighting ongoing efforts to enhance security. Organizations using HPE OneView should prioritize updating to version 11.00 or applying the relevant hotfixes to mitigate potential risks.

SonicWall has alerted users to a zero-day vulnerability in its SMA 1000 series, actively exploited to gain root-level access through chained bugs. The flaw, CVE-2025-40602, involves insufficient authorization checks, allowing privilege escalation when combined with a previous vulnerability, CVE-2025-23006. SonicWall advises immediate updates to the latest hotfix versions and recommends restricting console access to trusted networks to mitigate risks. The vulnerability affects only SMA 1000 appliances, leaving other SonicWall products and functions unaffected, but hundreds of exposed units remain vulnerable online. In a separate incident, SonicWall's MySonicWall cloud backup service was compromised, exposing configuration files that could aid attackers if decrypted. SonicWall attributes the cloud backup breach to state-sponsored actors, prompting recommendations for users to enhance security measures and avoid cloud storage for backups. The ongoing exploitation of these vulnerabilities indicates the persistent threat to remote-access infrastructure and the need for robust security practices.

The FBI, in collaboration with European law enforcement, dismantled E-Note, a crypto laundering service allegedly used by cybercriminals to wash over $70 million in illicit funds. E-Note, an unlicensed virtual currency exchange, reportedly facilitated money laundering for ransomware groups and other cybercriminals by converting stolen cryptocurrency into less traceable assets. Authorities seized servers, mobile apps, and domains linked to E-Note, effectively terminating its operations and disrupting a significant financial channel for cybercrime. Mykhalio Petrovich Chudnovets, a Russian national, was charged with conspiracy to launder monetary instruments, accused of running E-Note since at least 2010. The operation is part of a broader strategy to target financial services that enable cybercrime, focusing on disrupting the infrastructure rather than just individual actors. The takedown aims to increase operational costs for cybercriminals by eliminating easy cash-out options, potentially reducing the profitability of cybercrime activities. While the long-term impact remains uncertain, this action reflects a strategic shift in law enforcement efforts to combat the financial mechanisms supporting cybercrime.

French authorities arrested a Latvian crew member of the Fantastic ferry for allegedly installing malware, potentially allowing remote control of the vessel on behalf of a foreign power. The investigation, led by France's counterespionage agency DGSI, involves collaboration with Italian authorities following the discovery of the malware by the ferry's owner, Grandi Navi Veloci. The malware was neutralized without causing operational disruptions, though details on which systems were targeted remain undisclosed by GNV. The Paris prosecutor's office confirmed the ongoing investigation and the seizure of items for examination, with the Latvian suspect facing charges of conspiracy to infiltrate computer systems. French Interior Minister Laurent Nuñez acknowledged the seriousness of the incident, suggesting potential foreign interference, without directly naming any specific country. This incident coincides with another cyberattack on the French Ministry of the Interior's email servers, leading to the arrest of a 22-year-old suspect charged with unauthorized data access. The case underscores the persistent threat of foreign cyber interference in critical infrastructure, highlighting the need for robust cybersecurity measures and international cooperation.

Law enforcement from multiple European countries dismantled a criminal network operating call centers in Ukraine, defrauding over 400 victims across Europe of more than €10 million. The scam involved impersonating police officers and bank officials to trick victims into transferring funds to accounts controlled by the criminals. Approximately 100 employees were involved, recruited from countries like the Czech Republic, Latvia, and Lithuania, with incentives including cash bonuses and luxury items. Authorities arrested 12 suspects and seized cash, vehicles, and weapons during the operation, marking a significant disruption of the network. The operation underscores the sophistication of modern cybercrime, leveraging social engineering and organized structures to execute large-scale fraud. This case highlights the importance of cross-border cooperation in tackling cybercrime and protecting citizens from financial scams.

DXS International, a tech supplier for NHS, experienced a cyberattack affecting its internal systems early Sunday, impacting around 2,000 GP practices using its products. The attack was swiftly contained by DXS's IT staff and NHS England, ensuring minimal disruption to frontline clinical services. A third-party digital forensics firm is investigating to determine the attack's full scope and nature, while DXS cooperates with authorities. DXS disclosed the incident to the London Stock Exchange and informed relevant regulators, including the Information Commissioner's Office. Despite the attack, DXS reports minimal impact on its products, with its ExpertCare solution remaining operational for cardiovascular prescription management. The incident underscores the importance of robust cybersecurity measures in healthcare, given the potential impact on patient care and operational continuity. DXS anticipates significant revenue growth opportunities amid NHS restructuring, aiming to standardize platforms across its customer base.

North Korean-linked hackers stole $2.02 billion in cryptocurrency in 2025, accounting for 76% of service compromises, according to Chainalysis' Crypto Crime Report. The Bybit exchange hack in February was a significant incident, with $1.5 billion stolen by the TraderTraitor group, also known as Jade Sleet and Slow Pisces. The Lazarus Group, affiliated with North Korea's Reconnaissance General Bureau, continues its decade-long campaign, including a recent $36 million theft from South Korea's Upbit exchange. North Korean operatives employ tactics such as IT worker infiltration and job scams to gain access to crypto services, enhancing their ability to execute large-scale thefts. Stolen funds are laundered through Chinese-language services, cross-chain bridges, and specialized marketplaces, indicating strong ties with illicit networks in the Asia-Pacific region. The U.S. Department of Justice sentenced Minh Phuong Ngoc Vong to 15 months for his role in an IT worker scheme, aiding North Korean nationals in securing jobs at U.S. agencies. The IT worker scheme is evolving, with DPRK actors recruiting collaborators via platforms like Upwork to expand operations, often bypassing platform verification controls.

Microsoft has reported that attackers have compromised several hundred machines across various sectors using the React2Shell vulnerability, CVE-2025-55182, to execute code and deploy malware. The React2Shell flaw in React Server Components allows attackers to run arbitrary commands, leading to malware deployment and ransomware attacks, with activity often disguised as legitimate application traffic. Initial exploitation linked to threat actors from China and Iran has rapidly expanded, with attackers chaining React2Shell with other vulnerabilities to breach systems at scale. Security firm S-RM confirmed a real-world intrusion where React2Shell was used as the initial access point, marking a shift towards financially motivated cyber extortion attacks. GreyNoise Intelligence reports ongoing, high-intensity exploitation, with a significant number of malware payloads detected across numerous networks since the vulnerability's disclosure. Approximately 39% of cloud environments are susceptible to React2Shell, yet half of the vulnerable systems remain unpatched, increasing the risk of exploitation. Microsoft advises organizations to apply patches, audit their React Server Component deployments, and monitor for exploitation signs to mitigate ongoing risks.

Hewlett Packard Enterprise has addressed a critical vulnerability in its OneView software, allowing remote code execution by unauthenticated attackers. This flaw impacts all versions before 11.00. The vulnerability, identified as CVE-2025-37164, was discovered by security researcher Nguyen Quoc Khanh and involves low-complexity code-injection attacks. HPE has advised immediate patching as no workarounds exist. The update to version 11.00 or later is available through HPE's Software Center. For devices operating on OneView versions 5.20 to 10.20, a security hotfix is available, requiring reapplication after certain upgrades or reimaging processes. HPE has not confirmed any active exploitation of this vulnerability but emphasizes the urgency of patching to prevent potential attacks. The company, serving over 55,000 organizations globally, including 90% of Fortune 500 firms, continues to reinforce its cybersecurity posture with regular updates. This incident follows recent patches for other critical vulnerabilities in HPE products, underscoring the importance of timely software updates.

The integration of AI copilots in SaaS applications like Zoom, Slack, and Microsoft 365 is rapidly expanding, creating complex data pathways that challenge traditional security measures. AI agents operate at machine speed, often with elevated privileges, complicating the ability of static security models to track and manage their activities effectively. Legacy security systems struggle with AI's dynamic nature, as these agents can access and aggregate data across multiple platforms, potentially exposing sensitive information. Traditional governance models, based on static roles and periodic audits, are inadequate for the fast-paced changes AI integrations introduce, leading to permission drift and security gaps. Dynamic AI-SaaS security platforms offer real-time monitoring and adaptive guardrails, ensuring AI activities align with security policies and preventing unauthorized access or data breaches. These platforms provide detailed logs and visibility into AI actions, allowing security teams to trace and respond to incidents promptly, maintaining control without hindering innovation. Organizations are encouraged to adopt dynamic security models to effectively manage AI-driven transformations in SaaS environments, ensuring resilience and safeguarding against emerging threats.

The UK's Driver and Vehicle Standards Agency (DVSA) is struggling with an 18-year-old booking system overwhelmed by bot activity, impacting driving test availability and scheduling. The system faced 94 million daily requests, significantly affecting its stability and leading to long wait times for driving tests, with some centers reporting a 24-week backlog. Bots are being used by resellers to secure and swap driving test slots, charging candidates up to £500, compared to the official fee of £62. DVSA's current anti-bot measures are quickly circumvented by developers, highlighting significant security and operational limitations in the system. The agency lacks dedicated staff for bot defense, relying on existing personnel and supplier support, and has automated some protective measures. Plans are in place to restrict test bookings to candidates only by spring 2026, aiming to reduce misuse and improve the accuracy of demand assessments. The National Audit Office recommends DVSA increase its examiner workforce to meet the rising demand for driving tests and address the root causes of the backlog.

The UK's Investigatory Powers Commissioner, Sir Brian Leveson, reported significant oversight gaps in the Investigatory Powers Act 2016 and its 2024 amendments, urging future legislative reforms by the Home Office. A major concern involves privileged information from foreign partners, such as the Five Eyes alliance, which currently bypasses judicial commissioner authorization, posing a risk to regulatory oversight. The UK intelligence community, including MI5, MI6, and GCHQ, is not required to disclose serious data breaches if classified as "relevant errors," raising concerns over public interest transparency. The report calls for reforms to address technological advancements and clarify legal definitions, particularly around communications and financial transaction data, which complicate law enforcement investigations. Aging IT systems used by law enforcement agencies for data management under the IPA remain a critical issue, with calls for a comprehensive replacement plan before the current system is decommissioned. Technical Capability Notices (TCNs) remain contentious, with a recent tribunal ruling supporting public disclosure of TCN-related facts, emphasizing the need for informed public debate on lawful access capabilities. The ongoing debate over TCNs, including a case involving Apple, underscores tensions between privacy rights and government access for national security purposes.

North Korean group Kimsuky has launched a campaign using QR codes to distribute DocSwap malware, posing as a delivery app from CJ Logistics. The malware targets Android devices, employing QR phishing tactics to bypass security warnings and lure users into installing the malicious app. Victims are tricked through smishing texts and phishing emails into scanning QR codes that redirect them to download the malware. The malicious app decrypts an embedded APK, launching a RAT service capable of logging keystrokes, capturing audio, and accessing sensitive data. Attackers use a fake OTP authentication screen to deceive users into inputting verification codes, masking malicious activities. The campaign also involves repackaging legitimate apps with malicious code, including a VPN program available on Google Play Store. Kimsuky's infrastructure includes phishing sites mimicking South Korean platforms like Naver and Kakao, aiming to steal user credentials. This campaign reflects an evolution in Kimsuky's tactics, showcasing advanced methods to infiltrate and exploit Android devices.