Daily Brief

Annual penetration tests may be insufficient due to the rapid pace of development and frequent deployment of new features in applications. Verizon’s 2024 Data Breach Investigation Report highlights that gaps in security testing contribute to data breaches, with exploited vulnerabilities in web applications being a significant issue. Continuous Penetration Testing as a Service (PTaaS) aligns better with agile development practices by integrating continuous security assessments throughout the development lifecycle. PTaaS not only identifies vulnerabilities but also facilitates rapid remediation by enhancing collaboration between security teams and developers. Transitioning to continuous testing demands breaking down silos between security, development, and operations teams and establishing new workflows for quick vulnerability identification and remediation. Organizations should seek PTaaS solutions that integrate with their existing development tools, offer real-time dashboards, and provide automated scanning with direct communication channels. Continuous penetration testing improves both compliance and security posture by providing thorough documentation and regular updates, also encouraging ongoing adjustments to security protocols.

Veeam has issued security updates for a critical flaw in its Backup & Replication software, capable of remote code execution. The vulnerability, identified as CVE-2025-23120 with a CVSS score of 9.9, affects versions up to 12.3.0.310. The flaw was discovered by security researcher Piotr Bazydlo, and is due to improper handling in the deserialization process in Veeam's software. IBM has concurrently released patches for two critical vulnerabilities in its AIX operating systems that could allow command execution. Both Veeam and IBM have advised users to apply these patches urgently to mitigate potential exploitation risks. No evidence currently suggests these flaws have been exploited in the wild, but the severity of the risks they pose necessitates immediate action.

Swiss telecommunication firm Ascom confirmed a cyberattack by HellCat hackers, targeting its Jira servers. The breach involved theft of about 44GB of data spanning source codes, project details, and internal documents. Despite the breach on Ascom's ticketing system, the incident reportedly did not affect company operations, and no customer or partner action was necessary. HellCat's recent activities also include attacks on Jira systems of major companies like Schneider Electric, Telefónica, and Jaguar Land Rover. In several cases, HellCat utilized compromised credentials acquired from third-party breaches for accessing Jira servers. Notably, Jira servers have been highlighted as valuable targets for cybercriminals due to the extensive sensitive information they host. The breach incidents underline the importance of regular credential updates and robust cyber defenses to mitigate such risks.

A new preprint paper from North Carolina State University and Yahoo! focuses on mitigating software supply chain risks. It emphasizes implementing role-based access control, system monitoring, and boundary protection. The study examines recent attacks such as SolarWinds, Log4j, and XZ Utils to extract practical defense strategies. Authors suggest it's challenging for organizations to select appropriate tools from diverse available frameworks. They analyzed 106 incident reports, mapping these to 203 MITRE attack techniques, to develop a prioritized list of mitigation tasks. A newly created "starter kit" by the researchers aims to integrate recommendations from various authoritative frameworks. The kit highlights crucial tasks missing from existing frameworks, identifying areas still vulnerable to attacks despite current measures. Future framework revisions planned to close these identified gaps in supply chain security strategies.

The UK's National Cyber Security Centre (NCSC) has issued a timeline with milestones for organizations to transition to post-quantum cryptography (PQC) within ten years. The directive highlights three key milestones; by 2028, organizations should define PQC migration goals and initiate planning, complete priority migrations by 2031, and achieve full PQC transition by 2035. This guidance anticipates quantum computing advancements that could potentially compromise existing encryption models by breaking their algorithms. Various sectors will face differing challenges based on their cryptographic maturity and dependency, leading to potentially uneven progress across industries. NCSC's timeline considers the creation of PQC standards, development of supporting ecosystems, and widespread adoption as achievable within the ten-year window. Smaller businesses might depend on their service providers for PQC transitions, whereas larger and critical infrastructure organizations will likely face significant logistical and financial challenges. The guidance doesn't just set a compliance framework, but also aims to enhance overall cybersecurity in anticipation of quantum computing breakthroughs that could disrupt current encryption methods.

Microsoft 365 exemplifies a shared responsibility model in cloud security, clarifying roles between cloud providers and their clients. Microsoft ensures the security of foundational and physical infrastructure components, adheres to global standards, and uses advanced threat detection techniques. Businesses must manage user access controls, authentication, secure data sharing practices, and ensure compliance with their individual security needs. A strategic approach to implementing robust Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) is recommended to enhance security. Information asset assessments are crucial for developing a data protection strategy that involves sensitivity labeling and Data Loss Prevention (DLP) policies. Implementing a 3-2-1 backup strategy is vital for data recovery in disaster scenarios, helping minimize downtime and potential data loss. Continuous security monitoring, regular policy reviews, compliance checks, and a comprehensive training program are essential for maintaining security efficacy. The security framework within an organization should evolve constantly to adapt to new threats and technologies, emphasizing the importance of regular updates and stakeholder engagement.

The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are alleged users of Graphite, a spyware developed by Israeli company Paragon Solutions. Graphite is designed to harvest sensitive data from instant messaging apps across infected devices. The Citizen Lab identified these six governments as potential users by mapping server infrastructure linked to Paragon's spyware. Over 90 individuals, including journalists and civil society members, were targeted through vulnerabilities exploited via Graphite, as stated by Meta-owned WhatsApp. The attack method involved adding targets to a WhatsApp group and deploying a malicious PDF to trigger the spyware installation. Forensic analysis has revealed an artifact known as BIGPRETZEL, believed to uniquely mark infections from Graphite on Android devices. An attack using Graphite was also undertaken against an iPhone user in Italy, which led Apple to release a security patch in iOS 18 to mitigate similar vulnerabilities. Apple and WhatsApp have both taken measures to inform and protect users against such mercenary spyware attacks, emphasizing the sophisticated and targeted nature of these threats.

Small and mid-sized businesses (SMBs) are increasingly subject to stringent data protection and security regulations, making compliance a critical issue. Recent data highlights that over 60% of approximately 33.3 million U.S. SMBs are not fully compliant with at least one regulatory standard, risking fines and reputational damage. Managed Service Providers (MSPs) have the opportunity to expand their service offerings by providing continuous compliance monitoring to help SMBs maintain regulatory compliance. Continuous compliance monitoring offers real-time visibility into security and compliance, helping to close gaps that periodic audits may miss. The introduction of tools like Compliance Manager GRC can transform compliance into a scalable and profitable service for MSPs, reducing manual efforts and enhancing efficiency. Implementing continuous compliance monitoring not only aids in risk management but also positions MSPs as essential strategic partners for SMBs. MSPs can leverage compliance monitoring to attract new clients and unlock additional revenue streams, making it a competitive advantage in the IT services market.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has documented a new vulnerability in NAKIVO Backup & Replication software as part of its KEV catalog. The vulnerability, identified as CVE-2024-48248 with a high severity score of 8.6, allows unauthorized file access through a path traversal flaw. All versions of the software before version 10.11.3.86570 are affected, permitting attackers to read sensitive files such as "/etc/shadow." Successful exploitation can lead to exposure of confidential data like system configurations, backups, and credentials, which could facilitate further cyber attacks. Despite the lack of detailed insights into current exploitation tactics, the issue has been resolved in the latest software update version v11.0.0.88174 released in November 2024. The exploit was precedentially confirmed by a proof-of-concept shared by watchTowr Labs. CISA mandates that Federal Civilian Executive Branch agencies implement recommended security patches by April 9, 2025, to bolster their defenses against potential breaches.

CERT-UA has identified a cyber espionage campaign using the Dark Crystal RAT to infiltrate Ukraine's defense-industrial sector. Malicious messages falsely claiming to be meeting minutes are spread via Signal, some from already compromised accounts. These deceptive messages include an archive with a decoy PDF and an executable that deploys DCRat malware. DCRat, a powerful remote access trojan, executes remote commands, steals information, and controls affected devices. This malicious activity is traced back to a threat group known as UAC-0200, reportedly active since summer 2024. Incident follows allegations that Signal is not cooperating with Ukrainian law enforcement against Russian cyber threats. Reports indicate increased Russian efforts to access WhatsApp and Signal accounts using the apps' device linking features.

A malware campaign known as 'DollyWay' has infected over 20,000 WordPress sites globally since 2016, redirecting users to malicious sites. The operation has evolved to utilize advanced evasion techniques, reinfection methods, and strategic monetization through affiliate networks like VexTrio and LosPollos. DollyWay uses vulnerable WordPress plugins and themes to inject malware, which then leverages a Traffic Distribution System (TDS) to redirect traffic based on visitor details such as location and device type. The most recent version of the campaign, DollyWay v3, has been particularly involved in fraudulent activities like fake dating and gambling sites, generating millions of fraudulent impressions each month. The malware ensures persistence and complicated removal by auto-reinfecting sites on each page load and spreading its code across active plugins. Hidden administrative accounts and the obscured WPCode plugin are used for ongoing control and reinfection of compromised sites. GoDaddy Security researchers have linked multiple past separate attacks to this sophisticated, single threat actor, highlighting the shared infrastructure and code patterns. Further details and indicators of compromise (IoCs) will be published by GoDaddy to assist in defending against this extensive and sophisticated malware operation.

Kali Linux version 2025.1a introduced as the first update of 2025, featuring both enhancements and a new tool. The update implements desktop changes including Plasma 6.2 and Xfce 4.20, enhancing user interface experience. A unique visual theme, new wallpapers, and modified boot/login screens are part of the annual theme refresh. Only one new tool, detailed as Hoaxshell, added in this mostly update-focused release. Kernel has been upgraded to version 6.12 to bolster system performance. Floating panels from KDE emerge as Kali Team’s favorite new desktop feature, aimed at improving navigation and aesthetics. Upgrading to this version is available through direct ISO downloads or command line instructions for existing users. Release followed a last-minute fix of a bug in version 2025.1, prompting a rebuild to 2025.1a.

The Pennsylvania State Education Association (PSEA) reported a data breach affecting 517,487 individuals. Personal data including social security numbers, driver's licenses, and health information were compromised. The breach occurred on July 6, 2024, but was only confirmed after a thorough investigation completed on February 18, 2025. The Rhysida ransomware gang claimed responsibility for the breach, demanding a 20 BTC ransom. PSEA is offering free credit monitoring and identity restoration services to those impacted. Affected individuals are advised to monitor their accounts, obtain credit reports, and consider placing fraud alerts or security freezes on their credit files. The breach notification comes amid several high-profile attacks by Rhysida ransomware, indicating a pattern of targeting a wide range of industries.

The Pennsylvania State Education Association (PSEA) experienced a significant data breach in July 2024, compromising personal information of over 500,000 individuals. Stolen data includes Social Security numbers, financial details, and health information, impacting a wide array of personal and sensitive data. The breach was publicly linked to the Rhysida ransomware gang, hinting at a potential ransomware attack although PSEA did not confirm paying any ransom. PSEA completed their internal investigation by February 18, detailing the extent of the exposed information and confirming the unauthorized data access. Despite assurances, there is as yet no evidence that the stolen information has been used for identity theft or other fraudulent activities. In response to the breach, PSEA is offering free credit monitoring and identity restoration services, but only to those whose Social Security numbers were affected. The organization has taken steps to ensure, to their knowledge, the deletion of the stolen data by the unauthorized actors, although the effectiveness of such measures is often difficult to verify.

California Cryobank experienced a data breach between April 20 and April 22, exposing sensitive customer information including names, Social Security numbers, and bank details. The breach was noticed on April 21 when unauthorized activity was detected on certain computers, prompting an isolation of compromised systems and an investigative response. The stolen data potentially accessed includes extensive personal and financial details, increasing the risk of identity theft for the affected individuals. Although the exact number of impacted customers was not disclosed, the breach has significant implications due to the sensitive nature of the services provided. The personal data compromised is highly valuable on cybercrime forums, raising concerns about potential misuse and identity theft. Following the incident, California Cryobank has taken steps to strengthen its cybersecurity measures and is offering 12 months of free identity protection services to victims. The delay in reporting the breach and the subsequent exposure of both donors and recipients poses heightened privacy and security risks.