Cyber Briefing: 2025.04.23

Check out today's cybersecurity updates: Cookie-Bite MFA bypass, GCP bug, Rust-based botnet, ransomware hits Baltimore schools, M&S outage, SK Telecom breach, UN scam alert, and Google privacy changes

Apr 23, 2025

Listen to our podcast here!

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this?

👉 What's trending in cybersecurity today?

Get Help

🚨 Cyber Alerts

1. Cookie-Bite Attack Bypasses MFA in Cloud

Cybercriminals have developed a new technique known as “Cookie-Bite” to bypass multi-factor authentication (MFA). This method targets authentication cookies, particularly those used by Azure Entra ID, enabling attackers to impersonate legitimate users. By hijacking these session tokens, attackers can maintain persistent access to cloud systems without needing credentials or MFA codes. Security experts suggest various measures, including monitoring for unusual behavior and restricting browser extensions, to protect against this sophisticated attack.

2. GCP Composer Bug Allows Privilege Escalation

A privilege escalation vulnerability was found in Google Cloud Platform’s Cloud Composer service. Attackers could exploit this flaw to gain high-level permissions to critical GCP services like Cloud Storage and Artifact Registry. The flaw allowed attackers to inject malicious code through custom PyPI packages, gaining access to sensitive data and disrupting services. Google has since fixed the issue by using the environment's service account instead of the default Cloud Build service account.

3. RustoBot Botnet Targets Routers Using Rust

FortiGuard Labs uncovered RustoBot, a sophisticated botnet using the Rust programming language to target vulnerable routers. The botnet exploits command injection vulnerabilities in TOTOLINK and DrayTek devices, enabling remote code execution and device takeover. Attackers deploy the malware using downloader scripts, spreading it through compromised servers in several countries. Once installed, RustoBot uses advanced evasion techniques like encrypted configuration data and DNS-over-HTTPS for command-and-control communication, making detection challenging.

For more alerts click here!

Check Jobs

💥 Cyber Incidents

4. Baltimore Schools Hit by Ransomware Attack

A ransomware attack in February 2025 exposed sensitive data from thousands of students, teachers, and staff in the Baltimore City Public Schools system. The breach compromised documents containing personal information such as Social Security numbers, driver’s licenses, and student records for over 25,000 individuals, including current and former employees, volunteers, and contractors. School officials confirmed that 1.5% of the student population, or more than 1,150 students, were impacted.

5. M&S Faces Cyber Incident Disrupting Services

Marks and Spencer, a UK retailer, is currently addressing a cyber incident that has affected several of its services. The company’s Click and Collect service experienced delays, with customers also facing issues processing contactless payments and using gift cards in stores. M&S apologized to its customers, stating that temporary operational changes had been implemented to protect both the business and customers. External cybersecurity experts have been brought in to investigate, and the company has notified both the Information Commissioner’s Office and the National Cyber Security Centre about the breach.

6. SK Telecom Data Breach Exposes Customer Info

SK Telecom, South Korea’s largest telecom provider, reported a data breach on April 19, 2025. Hackers infiltrated its systems using malware, compromising sensitive customer information, including USIM card details. The company promptly isolated the affected systems and deleted the malware while notifying the Korea Internet & Security Agency. Although no confirmed misuse has been reported, SK Telecom is offering a free SIM protection service to impacted customers, and the investigation is ongoing.

For more incidents click here!

Report Incident

📢 Cyber News

7. UN Warns Southeast Asia Scams Spread

Transnational crime syndicates from Southeast Asia are spreading their scam operations worldwide. The UN report highlights the growth of these operations, with victims targeted by false investment, romance scams, and illegal gambling. The criminals are shifting their operations to regions with weaker law enforcement, including Africa and Latin America. The UN Office on Drugs and Crime warns that new technologies like AI and deepfakes are making these scams more sophisticated and widespread.

8. Greece Seeks 30 Cyber Experts for Security

Greece’s National Intelligence Service (EYP) is recruiting 30 cyber experts to combat growing digital threats. This marks the first major hiring campaign in five years, focusing on strengthening national security. The specialists will be responsible for intelligence gathering, tracking cryptocurrency transactions, and monitoring the dark web. EYP's efforts align with similar global recruitment strategies by intelligence agencies to combat evolving cybersecurity risks.

9. Google Drops Third Party Cookies Prompt

Google recently announced that it will not roll out a standalone prompt for third-party cookies as part of its Privacy Sandbox initiative. The decision came after feedback from various stakeholders, including publishers, developers, and regulators, highlighting divergent views on changing third-party cookie availability. Instead, Google will focus on enhancing existing privacy features in Chrome, including stronger protections in Incognito mode, which blocks third-party cookies by default. Additionally, a new IP Protection feature, aimed at limiting users' original IP addresses in third-party contexts, will be introduced in late 2025.

For more news click here!

📈Cyber Stocks

💡 Cyber Tip

Watch for MFA Bypass via Session Hijacking (Cookie-Bite Attack)

Attackers are now stealing authentication cookies to bypass MFA and gain persistent access to cloud accounts like Azure Entra ID, no password or code required.

✅ Actions You Should Take:

Monitor sessions – Enable alerts for unusual session activity or geographic anomalies.
Limit cookie lifespan – Reduce session duration and enforce regular re-authentication.
Restrict browser extensions – Block risky extensions that can harvest session data.

Why it matters: This stealthy technique lets attackers skip MFA entirely, making it harder to detect and easier to maintain unauthorized cloud access.