Daily Brief

Radiant Group, a new cybercriminal entity, breached Kido International, compromising sensitive data of preschoolers and their parents, including images and home addresses. The attack represents the group's first data leak on its dark web platform, employing aggressive extortion tactics by publishing detailed profiles of ten children. Kido International, specializing in early childhood development, operates globally, but affected individuals are currently reported in the UK. The group's tactics involve contacting regulators and associates to amplify pressure, reflecting a shift towards more aggressive ransomware strategies. Experts emphasize the moral degradation of targeting such vulnerable populations, raising ethical concerns even among other cybercriminals. This incident underscores the necessity for organizations handling sensitive data to enhance security measures to prevent such breaches. Law enforcement and cybersecurity experts predict increased resistance to negotiations with groups displaying such blatant disregard for human decency. The attack highlights the critical need for robust security frameworks to deter opportunistic cyber threats and protect vulnerable sectors.

Cisco has identified two zero-day vulnerabilities in its ASA and FTD firewall software, urging customers to apply patches immediately to prevent exploitation. The first vulnerability (CVE-2025-20333) allows authenticated attackers to execute arbitrary code remotely, posing significant risks to affected systems. The second vulnerability (CVE-2025-20362) permits unauthorized access to restricted URL endpoints, potentially compromising sensitive information. Cisco's Product Security Incident Response Team has observed attempted exploits and collaborates with international cybersecurity agencies for mitigation. In addition to these zero-days, Cisco patched another critical flaw (CVE-2025-20363) that could allow remote code execution on unpatched devices. Recent reconnaissance activity detected by GreyNoise suggests these vulnerabilities were targeted in large-scale campaigns involving 25,000 IP addresses. Cisco continues to release security patches for other high-severity vulnerabilities, emphasizing the need for organizations to maintain up-to-date defenses.

Amazon will pay $2.5 billion to resolve allegations from the FTC about deceptive practices in its Prime membership enrollment process, impacting millions of users. The settlement includes a $1 billion civil penalty and $1.5 billion in refunds to approximately 35 million affected consumers, addressing concerns about unauthorized subscription enrollments. The FTC accused Amazon of using dark patterns to manipulate users into Prime subscriptions, making cancellation processes intentionally difficult and confusing. Internal Amazon documents revealed awareness among executives about the deceptive nature of their subscription practices, referring to it as a "shady world." This legal action follows a previous $25 million fine against Amazon for alleged violations of children's privacy laws related to its Alexa service. The settlement aims to prevent future deceptive practices by Amazon, reinforcing consumer protection and transparency in subscription services. The case underscores the importance of regulatory oversight in safeguarding consumer rights against manipulative online business practices.

Two malicious Rust packages, faster_log and async_println, were downloaded nearly 8,500 times from Crates.io, targeting developers' crypto wallet keys and sensitive information. The packages mimicked the legitimate fast_log crate, retaining its functionality to avoid detection while embedding malicious code that exfiltrated data. Attackers exploited the log file packing feature to scan systems for sensitive data, sending it to a Cloudflare Worker URL not affiliated with Solana RPC. Crates.io swiftly removed the malicious packages and suspended the accounts 'rustguruman' and 'dumbnbased' responsible for their publication. Developers affected by these packages are advised to clean their systems and transfer digital assets to new wallets to mitigate potential theft. This incident serves as a reminder to verify the reputation of package publishers and review build instructions to avoid inadvertently downloading harmful software. The attack had limited impact due to the absence of dependent downstream crates and no other submissions from the banned publishers.

Salesforce's Agentforce platform was affected by a critical vulnerability named ForcedLeak, potentially allowing data exfiltration via AI prompt injection. The flaw, discovered by Noma Security, carries a CVSS score of 9.4 and impacts organizations using Salesforce's Web-to-Lead functionality. The vulnerability exploits weaknesses in context validation and AI model behavior, enabling unauthorized command execution and data leakage. Attackers could leverage an expired Salesforce-related domain to exfiltrate sensitive data, highlighting risks associated with domain management. Salesforce has patched the vulnerability by enforcing a Trusted URL allowlist, preventing unauthorized data output to untrusted URLs. Organizations are advised to audit lead data for anomalies, implement strict input validation, and sanitize data from untrusted sources to mitigate risks. This incident underscores the need for robust AI security measures to prevent significant financial and reputational damages.

The rise of passkeys as a passwordless authentication method is gaining traction, driven by their resistance to phishing and brute-force attacks compared to traditional passwords. According to the FIDO Alliance, passkeys leverage public key cryptography, relying on devices like phones or security keys rather than memory-based credentials. Passkeys offer enhanced security by ensuring that only public keys are stored on company databases, rendering them useless without the corresponding private key on the user's device. Despite their advantages, passkeys face challenges such as implementation complexity, costs, and compatibility issues with legacy systems, limiting their immediate widespread adoption. Organizations are likely to adopt hybrid models, integrating passkeys while maintaining strong password hygiene for systems where passkeys are not feasible. Verizon's 2025 Data Breach Investigations Report indicates that stolen credentials are involved in 88% of breaches, underscoring the need for robust authentication methods. Specops Software promotes its Password Policy tool to enhance password security by blocking compromised passwords, highlighting the ongoing importance of password management.

North Korean threat actors linked to the Contagious Interview campaign have introduced a new backdoor, AkdoorTea, targeting global cryptocurrency and Web3 developers across multiple operating systems. The DeceptiveDevelopment campaign utilizes social engineering tactics, posing as recruiters offering fake job roles on platforms like LinkedIn and Upwork to distribute malware. The attack chain involves malicious scripts in Python and JavaScript, leveraging multi-platform backdoors and a dark web project in .NET to compromise targets. Malware such as BeaverTail, InvisibleFerret, and WeaselStore is deployed for data exfiltration, focusing on sensitive information from browsers and cryptocurrency wallets. The TsunamiKit toolkit is used for cryptocurrency theft, employing components like TsunamiLoader and TsunamiHardener to establish persistence and evade detection. Tropidoor, a sophisticated payload linked to the Lazarus Group, shares code with other malware used in past campaigns, demonstrating advanced capabilities in stealth and data manipulation. The campaign's reliance on open-source tools and creative social engineering illustrates a volume-driven approach, compensating for technical limitations with scale. The operation is part of a broader North Korean strategy, including fraudulent IT worker schemes, blending traditional crime with cybercrime tactics.

A 17-year-old linked to cyberattacks on Vegas casinos was released to parental custody after being charged with sophisticated network intrusions. The attacks, attributed to the Scattered Spider group, targeted MGM Resorts and Caesars Entertainment, deploying BlackCat/ALPHV ransomware. Operational disruptions and data breaches resulted in over $100 million in damages for MGM and a $15 million ransom paid by Caesars. Prosecutors allege the suspect holds $1.8 million in Bitcoin, yet to be recovered, and advocate for trial as an adult due to the attack's severity. The court imposed restrictions on the suspect's internet and electronics use, with any violations leading to immediate detention. Charges include extortion, conspiracy, and unlawful computer acts, with potential for additional charges as investigations progress. The case reflects ongoing challenges in managing cyber threats from younger individuals involved in sophisticated criminal activities.

Cisco confirmed a critical zero-day vulnerability, CVE-2025-20352, affecting IOS and IOS XE software, which attackers are actively exploiting. The flaw resides in the SNMP subsystem, allowing attackers with SNMP access to execute arbitrary code with root privileges. Successful exploitation can lead to full device compromise, posing significant risks to organizations relying on Cisco's networking equipment. Cisco's Product Security Incident Response Team urges immediate software updates to address the vulnerability, as no workaround is available. The company advises restricting SNMP access to trusted hosts as a temporary measure, though this is insufficient if attackers have already breached defenses. This vulnerability is part of a series of serious issues affecting Cisco's IOS, raising concerns about the security of critical network infrastructure. Organizations delaying patches risk exposure to attacks, given the historical exploitation patterns of Cisco's zero-day vulnerabilities.

Traditional vulnerability management struggles under the weight of over 40,000 CVEs annually, overwhelming security teams with alerts deemed "critical" by scoring systems like CVSS and EPSS. Continuous Threat Exposure Management (CTEM) shifts focus from volume to clarity, emphasizing prioritization and validation to manage real threats effectively. CTEM addresses both technical and nontechnical exposures, predicting that by 2028, over half will stem from issues like misconfigured SaaS apps and human error. Adversarial Exposure Validation (AEV) technologies, including Breach and Attack Simulation (BAS) and Automated Pentesting, provide real-world context to prioritize vulnerabilities. AEV technologies help distinguish between theoretical threats and those that are truly exploitable, optimizing resource allocation and response strategies. Case studies, such as the Log4j vulnerability, demonstrate how AEV can reprioritize risks based on contextual factors, enhancing operational efficiency. The upcoming State of BAS 2025 summit will explore advancements in security validation, showcasing how AI and BAS are redefining attack simulation.

SonicWall released a firmware update for SMA 100 series devices to remove rootkit malware, addressing threats from the UNC6148 group's OVERSTEP malware. The update includes additional file checks and urges users to upgrade to version 10.2.2.2-92sv due to significant vulnerabilities in legacy VPN appliances. OnePlus faces a critical permission bypass vulnerability in OxygenOS, allowing unauthorized access to SMS/MMS data, posing risks to sensitive information like MFA codes. The vulnerability, present since OxygenOS 12 in 2021, remains unpatched, though OnePlus is investigating the issue. These incidents highlight the ongoing need for timely updates and proactive vulnerability management to safeguard sensitive data and maintain operational integrity.

The European Union is implementing a Biometric Entry/Exit System (EES) for non-EU travelers, effective from October, across 29 Schengen countries to enhance border security and efficiency. The EES requires travelers, including those from the UK and US, to register fingerprints and facial images, replacing traditional passport stamping with biometric verification. Managed by eu-LISA, the system stores biometric and passport data for three years, or five if no exit is recorded, to monitor compliance with the 90-day travel rule. Eurostar and Eurotunnel have invested significantly in registration infrastructure, with Eurostar initially targeting premier passengers and Eurotunnel expanding to various transport modes by year-end. Critics, such as European Digital Rights, argue the data collection is excessive, although improvements have been made since initial proposals. The UK has allocated funds to support EES infrastructure at key transport hubs, ensuring smooth implementation and compliance with new EU travel regulations. A €20 visa waiver, ETIAS, will be introduced in late 2026 for travelers from visa-exempt countries, further streamlining entry into the Schengen area.

Gcore's latest report reveals a 41% year-on-year increase in DDoS attack volume, with technology overtaking gaming as the primary target. The largest attack recorded in Q1–Q2 2025 peaked at 2.2 Tbps, indicating a rise in both scale and ambition of attackers. Technology accounts for 30% of DDoS attacks, surpassing gaming's reduced share of 19%, due to enhanced defenses and strategic shifts by attackers. Financial services remain highly vulnerable, representing 21% of attacks, driven by their disruption potential and regulatory sensitivity. Attack durations are lengthening, with 10–30 minute assaults nearly quadrupling, while maximum durations slightly decreased, focusing on high-impact strikes. UDP flood attacks dominate network-layer threats, comprising 56%, with multi-vector strategies increasingly used to disguise malicious activity. The United States, Netherlands, and emerging source Hong Kong are key origins of network-layer attacks, stressing the need for geographically aware defenses. Gcore's advanced DDoS Protection utilizes over 200 Tbps filtering capacity and integrated API security to safeguard critical assets against evolving threats.

The Co-operative Group suffered a significant cyberattack in April 2025, resulting in an £80 million profit loss and a £206 million revenue hit. The attack led to the theft of personal data of 6.5 million members, including names and contact information, though no payment data was compromised. Operational disruptions included supply chain issues, empty shelves, and halted back-office functions, prompting Co-op to offer discounts to affected members. Despite the breach, Co-op's defenses prevented a full ransomware deployment, mitigating potentially greater financial damage. The UK's National Crime Agency arrested four suspects linked to the attack, believed to be part of the Scattered Spider hacker group. Investigations by regulators, including the Information Commissioner's Office, are underway to assess data exposure and response measures. Co-op's leadership emphasized its resilience and community focus, launching initiatives to address cyber threats and support vulnerable groups. The company anticipates reduced cyber impact in the latter half of the year but remains cautious about ongoing market challenges.

The Home Office has issued new guidance for police searches of its passport and visa facial image databases following privacy concerns and legal challenges from advocacy groups. Law enforcement searches of the passport database surged from two in 2020 to 417 in 2023, prompting privacy campaigners to demand stricter controls. New procedures require police to exhaust all other options before accessing these databases, ensuring searches are in the public interest and related to serious crime or national security. Approval for database searches now requires a police inspector's sign-off and completion of detailed forms, with urgent requests discouraged unless absolutely necessary. Matches from facial image searches must be reviewed by at least two Home Office staff members, with results not considered expert opinions. The UK Passport Office and Immigration Biometric System hold extensive data, with 53.2 million passport photos and 92 million immigration images, raising significant privacy implications. This move aims to balance law enforcement needs with privacy rights, reflecting growing scrutiny over government-held biometric data usage.