Daily Brief

Threat actors are utilizing the Gamma AI platform to carry out sophisticated phishing attacks, mimicking Microsoft SharePoint logins. The attack begins with a phishing email containing a PDF hyperlink, often sent from compromised legitimate accounts. Clicking the link redirects users to a Gamma-hosted presentation that prompts them to access "Secure Documents," leading them through several deceptive pages. An intermediate impersonation page uses Cloudflare Turnstile verification to boost perceived legitimacy and hinder automated security analysis. Users are eventually directed to a fake Microsoft SharePoint login page designed to harvest their credentials, employing real-time credential validation to enhance the illusion. This method, known as living-off-trusted-sites (LOTS), leverages trusted services to bypass traditional email security checks and obscure the phishing pages' true nature. Microsoft has flagged an increase in AI-driven fraud and falsified content, underlining the need for heightened vigilance against such threats. The findings imply a trend where attackers constantly evolve, using new tools and strategies to effectively target and exploit users.

Cyber threats targeting supply chains have escalated as companies increasingly rely on third-party vendors and global logistics. Exploiting vulnerabilities in interconnected systems, attackers infiltrate via third-party vendors, gaining access to sensitive data and operational controls. Recent incidents, like the 2024 ransomware attack on Change Healthcare, highlighted significant disruptions and data theft affecting millions. Industries at substantial risk include manufacturing, healthcare, retail, energy, and banking due to their extensive dependency on complex supply networks. Proactive security measures, including Continuous Threat Exposure Management (CTEM) and Automated Penetration Testing, are vital in preventing attacks. Compliance with regulatory standards such as NIST and ISO 27001 is crucial for maintaining baseline security practices and protecting supply chains. U.S. tariffs on foreign goods could introduce new cybersecurity challenges by forcing companies to redirect sourcing and use less secure suppliers. A shift from reactionary measures to proactive strategies including AI-driven threat detection is essential for enhancing resilience and continuity in supply chains.

Cybersecurity experts have identified a new controller for BPFDoor, a Linux-targeting backdoor used in recent cyber attacks across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. This malware enables stealthy lateral movements and long-term espionage within compromised networks, particularly affecting the telecom, finance, and retail sectors. BPFDoor utilizes the Berkeley Packet Filter technology to maintain persistent and covert access in compromised systems, evading detection even by firewall protections. The newly discovered controller component allows attackers deeper network infiltration, providing them tools to control numerous systems and access sensitive data remotely. Earth Bluecrow, a known threat group recognized under multiple aliases including DecisiveArchitect and Red Menshen, has been linked to the deployment of this sophisticated malware. The controller's functionalities include supporting multiple protocols and an encrypted mode for secure, unauthorized commands on the infected hosts. Trend Micro stresses the importance of understanding and analyzing BPF code to enhance defense mechanisms against such BPF-powered threats.

Wing Security's platform addresses increasing breaches in SaaS applications by managing identities and detecting threats. The majority of security breaches are linked to identity and credential misconfigurations, highlighting the need for improved SaaS security solutions. Wing’s non-intrusive discovery method uses APIs to connect with major Identity Providers and SaaS applications, ensuring comprehensive visibility. The platform offers a unique identity-centric threat detection that correlates identity events with MITRE ATT&CK techniques for clear, actionable insights. Real-time threat detection enabled by the platform reduces the median time to resolution and aids security teams in prioritizing threats based on their breach confidence score. Customized mitigation playbooks provided by Wing guide SecOps teams through specific steps to resolve threats and prevent recurrent attacks. Continuous monitoring for misconfigurations and risky settings is facilitated by Wing Security, aiming at an underlying prevention approach rather than a symptomatic treatment. Wing Security’s integrated approach combines SaaS Security Posture Management (SSPM) and Identity Threat Detection and Response (ITDR) to enhance organizational security posture against identity-based attacks.

Chinese manufacturers have shipped Android smartphones with pre-installed trojanized apps disguising as WhatsApp and Telegram, aimed at cryptocurrency users. The malware, identified by Russian antivirus firm Doctor Web, specifically targets low-end phones mimicking premium models from brands like Samsung and Huawei. The trojanized applications can alter cryptocurrency wallet addresses in chat messages to redirect funds to the attackers, and also harvest device data and personal media files. These apps use an open-source project, LSPatch, to inject the Shibai trojan into legitimate applications, affecting around 40 different app types including messengers and QR code scanners. The malware operation is complex, utilizing about 30 domains and over 60 command-and-control servers for management and distribution. Analysis shows nearly two dozen cryptocurrency wallets linked to the attackers received over $1.6 million in the last two years, highlighting the financial impact of the scheme. Additional reporting revealed a new Android malware, Gorilla, focusing on sensitive data collection and persistent access, indicating broader threats to Android security are evolving.

Researchers found that ransomware attackers increase demands by 2.8 times on average if they discover the victim has cyber-insurance. Dutch researcher Tom Meurs analyzed 453 ransomware incidents from 2019 to 2021, noting a significant jump to 5.5 times the ransom amount in double-extortion cases with insured victims. Insured companies paid ransoms 44% of the time, nearly double the rate of uninsured companies, with significantly higher payouts. The most common initial attack vectors were phishing emails, malicious mobile apps, and vulnerabilities in outdated software. The IT sector, heavily targeted due to its high payout potential and extensive digital footprint, often led to multiple companies being victimized from a single attack. Only about 40% of ransomware attacks are reported to the police, with much lower reporting rates for other types of online fraud. Effective backup systems significantly reduce the likelihood of paying a ransom by 27 times, highlighting the importance of robust data management practices. Despite having backups, some companies choose to pay ransoms to expedite recovery or mitigate reputational damage, although 85% of backups reportedly fail during attacks.

MITRE's funding for the crucial CVE and CWE programs, sponsored by the U.S. DHS, expires today, raising major concerns within the global cybersecurity community. CVE system, a cornerstone in cybersecurity, ensures a standardized approach to identifying and discussing security vulnerabilities worldwide. The potential discontinuation of the CVE program could lead to the degradation of national vulnerability databases, advisories, and critical security tools. Several cybersecurity leaders, including the former head of CISA, Jean Easterly, have expressed concerns that losing CVE would result in a lack of coordination and a breakdown of trusted processes across the globe. A break in service could directly impact incident response operations and critical infrastructure protection, escalating to national security threats. DHS is actively working to mitigate the impact of the funding lapse and sustain CVE services, which is integral to the security operations of global stakeholders. The issue also aligns with NIST's current struggle in managing a significant backlog of CVEs needing attention for their National Vulnerability Database (NVD).

The U.S. government will cease funding MITRE's operation of the CVE program on April 17, impacting global cybersecurity infrastructure. The CVE system is critical for cataloging and managing publicly disclosed security vulnerabilities. MITRE warns of potential degradation across national vulnerability databases, advisories, and critical infrastructure without continued support. Despite the looming deadline, the government is still making efforts to support MITRE's role in maintaining the CVE program. Cybersecurity firm VulnCheck has proactively reserved 1,000 CVEs for 2025 in anticipation of disruptions. Experts predict that a lapse in the CVE program could delay vulnerability disclosures, impacting software security and risk assessments. The sustainability of the Common Weakness Enumeration (CWE) project is also at risk, potentially affecting secure coding and prioritization practices.

U.S. government funding for the CVE program, crucial for tracking security flaws globally, will cease this Wednesday. The CVE program, managed by MITRE under the Department of Homeland Security, is at risk due to non-renewal of contract and federal budget cuts. Without alternative funding, the program's ability to publish new CVEs and operate its website could end shortly. CVE IDs standardize vulnerability management and are used worldwide by companies and organizations to ensure clear communication and proper addressing of security threats. More than 40,000 CVEs were issued last year, highlighting the program's significant role in cybersecurity. Industry experts like Katie Moussouris and Dustin Childs express concerns about the severe impacts on vulnerability management and potential national security risks. Discussions revolve around the need for the security industry to fill the funding void and continue the program’s operations. Historical CVE records will remain accessible via GitHub, which provides some continuity.

An IT firm in Texas, Landmark Admin, has reported that 1.6 million individuals had their data stolen—double the number initially disclosed. Data compromised includes SSNs, driver’s license numbers, passport numbers, financial accounts, medical information, and insurance policy details. No credit card information was stolen, but the stolen data is highly sensitive, ideal for identity theft or phishing attacks. The breach occurred in two separate incidents, with the second involving data encryption and theft, suggestive of a ransomware-style attack. Landmark has responded by offering affected customers 12 months of credit monitoring, a $1 million insurance reimbursement policy, and managed ID theft recovery services. Landmark provides essential backend services for several American insurers, highlighting the risk of targeting third-party suppliers in cyberattacks. The incident has prompted a class-action lawsuit and reflects ongoing concerns about the cybersecurity measures of third-party suppliers.

Russian cyberespionage group Midnight Blizzard, also known as APT29 or Cozy Bear, has initiated a spear-phishing campaign against European diplomatic entities. The campaign features the debut of a new malware loader named GrapeLoader, used for deploying a modified version of the WineLoader backdoor. Victims receive phishing emails spoofed from legitimate Ministry of Foreign Affairs addresses, directing them to download a malicious file under the guise of a wine-tasting event invitation. GrapeLoader operates by sideloading a DLL to execute itself, enhancing stealth with techniques like delayed shellcode execution and specific memory protections to evade detection by antivirus products. The primary function of the GrapeLoader malware includes stealth reconnaissance and the activation of WineLoader, a modular backdoor that collects extensive system and user data. WineLoader has been upgraded to use sophisticated obfuscation techniques making its analysis and detection significantly more challenging. Despite extensive analysis, the full capabilities and the specifics of payloads delivered by WineLoader remain unclear due to its memory-resident nature and high target specificity.

4chan experienced significant outages and slow load times following a claimed cyberattack by an opposing forum site known as soyjack party. The alleged attackers reportedly stole and leaked 4chan's source code, along with personal details of its moderators and users' IP addresses, potentially comprising .edu and .gov email addresses. This breach was said to include full access to 4chan’s SQL databases, source, and shell, indicating a deep and comprehensive compromise. Social media coverage suggests 4chan was operating on an outdated, vulnerable version of PHP, further exacerbating its security weaknesses. The attackers, previously banned from 4chan, claimed to have reinstated their board on the site as part of the hack, hinting at a revenge motive. Discussions have surfaced about the potential of 4chan being used as a federal law enforcement honeypot, especially concerning with the exposure of moderator identities. Downdetector reported a peak of over 1,000 complaints from users during the outages, underlining the scale and impact of the disruption.

Landmark Admin, a Texas-based third-party administrator for major insurers, reported a significant data breach impacting 1.6 million individuals. Initially detected suspicious network activity on May 13, 2024, with an initial report suggesting 806,519 affected individuals. The breach involved unauthorized access that potentially exposed varying types of personal information. Affected individuals are being notified through personalized letters detailing the specific data compromised. The number of impacted persons was updated following a thorough investigation, with the possibility of further revisions as the forensic review continues. In response, Landmark is offering 12 months of identity theft protection and credit monitoring to the victims. Recipients of data breach notifications have a 90-day window to contact a dedicated helpline for queries and concerns.

4chan, a controversial online platform, experienced a significant security breach, resulting in its temporary shutdown. The attack, claimed by members of Soyjak.party, involved leaking screenshots of 4chan's admin panels and staff emails. The hacker, identified as a member of Soyjak.party, claimed to have had access to 4chan's systems for over a year before executing the attack. Among the information leaked were details that could allow unauthorized access to user locations, IP addresses, and internal management tools. The breach was attributed to the use of an outdated PHP version, making 4chan vulnerable to known security exploits. Following the breach, 4chan struggled with intermittent service, switching between text-only mode and showing Cloudflare errors. The PHP source code of 4chan was also leaked on another platform, indicating a widespread compromise of the site's underlying technology. This incident highlighted ongoing security challenges for forums and the critical need for regular system updates and patches.

China has publicly accused three NSA agents of launching cyberattacks on the 2025 Asian Winter Games' systems in Harbin, Heilongjiang province. The agents, alleged members of the NSA's Tailored Access Operations, are accused of attempting to implant backdoors and accessing sensitive data through the event's registration and timekeeping systems. China's state-run media reports over 270,000 cyberattack attempts on the games, attributing 170,000 to the United States and the remainder to other nations like Singapore and Germany. The report highlights these cyber activities as aggressive foreign interference aimed at disrupting and exploiting international events hosted in China. Beijing’s allegations mimic the usual Western narrative typically used to describe similar cyber activities by countries like China, Russia, North Korea, and Iran. Chinese authorities have issued bounties for information leading to the arrest of the implicated NSA agents, though the reward details have not been disclosed. China also claims the U.S. has targeted other crucial sectors in Heilongjiang province, including energy and telecommunications.