Cyber Mornings Daily

Based on the sources, the key topics focus on recent cybersecurity incidents. One significant event detailed is a ransomware attack against Hitachi Vantara, where the company took servers offline to contain the incident attributed to the Akira ransomware operation. Akira has impacted over 300 organizations and collected millions in ransom payments. The sources also describe a Chinese espionage campaign by a group called PurpleHaze, which attempted reconnaissance against cybersecurity company SentinelOne's infrastructure and customers. This group utilizes tools like ORB networks and backdoors such as GoReShell and ShadowPad. Furthermore, a data breach at VeriSource Services is reported, impacting four million people by exposing sensitive personal data including names, addresses, dates of birth, genders, and Social Security numbers. Although the incident occurred in February 2024, the full scope wasn't determined until April 2025, leading to delayed notifications.

One major topic is a technical issue at Coinbase where a logging error misidentified failed password attempts as "2FA failures," leading to user concerns about account compromise and potential misuse of these errors in social engineering attacks. Another significant topic is the evolution of the ransomware landscape, specifically the DragonForce group's introduction of a "ransomware cartel" model offering white-label branding and infrastructure to other ransomware operations. Finally, the sources also discuss Google's advancements in its Unified Security platform, including new features for threat detection, automation, and integration of Mandiant's threat intelligence, as well as key findings from Mandiant's 2025 M-Trends report on attack trends.

The sources discuss several recent cybersecurity incidents, including how hackers are exploiting Zoom's remote control feature to conduct crypto-theft attacks. This involves social engineering tactics where attackers impersonate legitimate entities to trick users into granting remote access, potentially leading to the theft of sensitive data and cryptocurrency. Additionally, Marks & Spencer confirmed they are dealing with a cyberattack that has impacted their operations, particularly the Click and Collect service. Furthermore, SK Telecom issued a warning about a malware attack that resulted in the exposure of customer USIM data. The sources also include tutorials on various computer security and maintenance tasks, such as accessing the dark web, using the Windows Registry Editor, removing malware, and showing hidden files.

The sources discuss several important cybersecurity topics, including vulnerability management with the active exploitation of a Microsoft NTLM vulnerability (CVE-2025-24054) that could lead to leaked credentials and system compromise. The exploitation requires minimal user interaction and is currently targeting specific organizations, emphasizing the need for immediate patching. Another critical issue highlighted is a maximum severity flaw (CVE-2025-32433) in Erlang/OTP SSH, which could allow attackers to execute arbitrary code without authentication, posing a significant risk to various systems, especially those in critical infrastructure. Lastly, the sources cover data security and government regulations with the HHS fining a Guam hospital for HIPAA violations following a ransomware attack, underscoring the importance of risk assessments and compliance in the healthcare sector.

One source details a high-severity vulnerability in Cisco Webex that could allow unauthenticated attackers to gain remote code execution through malicious meeting invite links. This article also briefly mentions other security news, including a CISA funding extension for CVE services, Microsoft blue screen issues, and various cyberattacks and vulnerabilities affecting different systems. Another source reports on a data breach at Legends International, an entertainment services company, where unauthorized access led to the exfiltration of personal data. Finally, the third source describes an incident that disrupted multiple Zoom services due to a domain name resolution problem caused by an error at the domain registry.

The sources discuss several distinct cybersecurity-related topics. One major subject is the extension of funding for the Common Vulnerabilities and Exposures (CVE) program by CISA to prevent any lapse in this critical service. This announcement followed a warning about potential disruptions and the expiration of funding for MITRE, the organization that maintains the CVE program. In response to these concerns, members of the CVE Board also announced the launch of the CVE Foundation, aiming to secure the program's independence. Another key topic is the major hack that took down the online forum 4chan, with the group Soyjak.party claiming responsibility and leaking alleged staff information and source code. Finally, the sources cover Microsoft's decision to block all ActiveX controls by default in Windows versions of Microsoft 365 and Office 2024 applications due to the security risks associated with this legacy software framework.

The sources discuss several security-related topics, including a ransomware attack on the kidney dialysis firm DaVita, which resulted in the encryption of parts of its network and impacted some operations. Another key topic is Microsoft Defender for Endpoint's new capability to isolate undiscovered endpoints to prevent attackers from moving laterally across a network. Finally, the sources also detail security breaches and a data leak at Western Sydney University, involving the compromise of a single sign-on system and the appearance of personal information on the dark web.

The sources discuss several cybersecurity-related topics, including Coinbase's plan to fix a confusing 2FA error message that was causing user anxiety and could be used in social engineering attacks. Another topic is a resurgence of phishing scams impersonating E-ZPass and other toll agencies, aiming to steal personal and credit card information via text messages and fake websites. Finally, one source details how Microsoft credited the hacker persona EncryptHub for reporting Windows security vulnerabilities, providing insights into the actor's background and extensive cybercriminal activities.

Australian pension funds have been targeted by a significant wave of credential stuffing attacks, This occurred over the weekend of March 29-30, 2025, and affected multiple large Australian super funds, potentially compromising thousands of members' accounts. The Association of Superannuation Funds of Australia (ASFA) acknowledged that some members were affected, although most attempts were repelled. Reuters reported that over 20,000 accounts were breached, with some members reportedly losing savings. Several major funds, including AustralianSuper, Hostplus, REST, Australian Retirement Trust, and Insignia Financial, confirmed that some of their members' accounts were breached. AustralianSuper reported at least 600 breached accounts, while REST disclosed that around 8,000 members had limited personal information accessed. Insignia Financial stated that approximately 100 accounts on its Expand Platform were compromised. ASFA has established a hotline and released a toolkit to enhance coordination within the superannuation industry in response to such financial crimes.

A vulnerability in Verizon's Call Filter API allowed users to potentially access the incoming call logs of other Verizon Wireless customers. Security researcher Evan Connelly discovered in February 2025 that the API endpoint used by the Call Filter app to retrieve a user's call history did not verify the phone number in the request against the logged-in user's phone number. As a result, by manipulating the `X-Ceq-MDN` header, any user could have requested and viewed the incoming call history of a different Verizon phone number using their own valid authentication token. Verizon addressed and patched this flaw in mid-March, stating that it only impacted iOS devices and that there was no indication of exploitation. This incident highlights potential risks associated with API security and the handling of sensitive call data.

Recent cybersecurity news includes Google's introduction of easy end-to-end encryption (E2EE) for Gmail business users, which simplifies the process of sending encrypted emails to any recipient by abstracting away complex certificate requirements. In another development, Microsoft utilized its AI-powered Security Copilot to discover twenty previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders, highlighting the potential for attackers to bypass security protections like UEFI Secure Boot. Additionally, retail giant Sam's Club is currently investigating claims of a potential data breach by the Clop ransomware gang, after the gang listed the company on their dark web leak site.

Genetic testing provider 23andMe has filed for Chapter 11 bankruptcy after facing years of financial difficulties and plans to sell its assets. Following this news, privacy experts have raised concerns about the potential exposure of customers' genetic information, even though the company has stated its commitment to safeguarding data. Consequently, the Office of California's Attorney General has advised 23andMe customers to request the deletion of their data and the destruction of their test samples. The UK's Information Commissioner's Office has also emphasized the sensitive nature of genetic information and the need for strict security standards. This development follows a previous data breach in 2023 where the data of 6.4 million customers was exposed.

A recent GitHub Actions supply chain attack primarily targeted Coinbase, a cryptocurrency exchange. The attack involved injecting malicious code into the `reviewdog/action-setup@v1` GitHub Action, which led to the dumping of CI/CD secrets and authentication tokens in GitHub Actions logs. Threat actors then used a stolen Personal Access Token to push a malicious commit to another GitHub Action, `tj-actions/changed-files`, again dumping secrets. Although this malicious commit specifically targeted Coinbase projects, including their `coinbase/agent kit`, and attackers gained write access to the repository, Coinbase reported that the attack was ultimately unsuccessful and did not impact their assets. While 23,000 projects used the compromised action, only 218 repositories were affected.

Human error is now the primary factor in data breaches, accounting for 95% of incidents in 2024. This is often exploited through social engineering tactics like phishing, where employees overestimate their ability to detect scams, with nearly 50% admitting to falling for them. Threat actors, such as Blind Eagle and those behind the KoSpy spyware, utilize phishing emails to gain initial access to systems. While email remains a common threat, attacks via collaboration tools are also increasing. Organizations face challenges in addressing these risks due to budget constraints and the need for more effective human risk management programs beyond basic security awareness training. Simultaneously, threats are becoming more sophisticated with the use of AI in phishing attacks and deepfakes, although AI is also being leveraged in cyber defense.

In March 2025, cybersecurity incidents were reported, including Chinese cyberspies backdooring Juniper routers, Mozilla warning Firefox users to update their browsers, and the social media platform X (formerly Twitter) being hit by a massive cyberattack. The attack on X, claimed by the hacktivist group Dark Storm, led to worldwide outages and the implementation of DDoS protections from Cloudflare. Meanwhile, Chinese hackers were found deploying backdoors on Juniper Networks Junos OS MX routers that are no longer receiving security updates. Mozilla cautioned Firefox users to update to the latest version to avoid security risks due to an expiring root certificate.

Recent cybersecurity news includes a data breach at NTT impacting 18,000 companies, a ransomware gang using a webcam to bypass EDR, and US cities warning about unpaid parking phishing texts. The NTT data breach, discovered in early February 2025, compromised the information of almost 18,000 corporate customers. An Akira ransomware gang utilized an unsecured webcam to encrypt a victim's network, circumventing EDR. Multiple US cities are also issuing warnings about a wave of phishing texts related to unpaid parking invoices.

Several recent cybersecurity incidents and advisories have been reported, including the detection of Stingray attacks using the open-source tool 'Rayhunter'. Additionally, the Chinese cyber-espionage group 'Silk Typhoon' is now targeting IT supply chains to breach networks. Furthermore, YouTube has issued a warning about AI-generated videos of its CEO being used in phishing attacks to steal creators' credentials.

Recent cybersecurity news includes a vulnerability in Cisco Webex for BroadWorks that could allow remote access to credentials, addressed by a configuration change. Scammers are sending fake BianLian ransom notes via mail to U.S. companies, demanding Bitcoin payments. A new botnet, Eleven11bot, has infected over 86,000 IoT devices, mainly security cameras and NVRs, to conduct DDoS attacks.

In recent cybersecurity news, several important developments have emerged: The Cybersecurity and Infrastructure Security Agency (CISA) is continuing its monitoring of Russian cyber threats, refuting claims that it would stop. Google has addressed multiple Android vulnerabilities, including zero-day exploits used by Serbian authorities. Rubrik, a cybersecurity company specializing in data protection, has rotated authentication keys following a breach of a server hosting log files.

In the realm of cybersecurity, recent events highlight the growing concerns around data privacy and security. Mozilla updated its Firefox terms of use following criticism over broad data license language. A study revealed that nearly 12,000 API keys and passwords were found in AI training datasets, raising concerns about insecure coding practices and potential misuse. Furthermore, Serbian police reportedly used a Cellebrite zero-day hack to unlock Android phones, raising concerns about privacy rights abuse and the exploitation of vulnerabilities in mobile devices.