Daily Brief

Mozilla warns that Firefox versions older than 128 or extended support release versions prior to 115.13 could face disruptions starting March 14 due to an expiring root certificate. Affected functionalities include add-on operation, DRM-protected media playback, and potential exposure to security threats. Mozilla strongly advises updating to the latest version of Firefox to avoid issues such as disabled add-ons, media playback problems, and compromised browser security. The upcoming Mozilla Root Store Policy (MRSP) v3.0, effective this Saturday, aims to improve the handling of revoked security certificates and separate TLS and S/MIME root certificates to enhance security. The certificate expiry will not impact iOS users or competing browsers like Chrome, Edge, and Safari, but is crucial for Firefox on Windows, macOS, Linux, and Android. The Tor Browser, also based on Firefox, requires updates to ensure security and functionality. Mozilla’s warning comes earlier than in May 2019, when an expired certificate disabled numerous Firefox extensions unexpectedly, causing significant user disruption.

Facebook disclosed a high-severity vulnerability in FreeType 2, an extensively used open-source font rendering library, which could lead to arbitrary code execution. The flaw, identified as CVE-2025-27363, affects all versions of FreeType up to 2.13 and has been actively exploited in attacks. FreeType is integral to many systems and platforms, including Linux, Android, various game engines, and GUI frameworks. The vulnerability involved an out of bounds write in the library when parsing specific font structures, allowing for potential remote code execution. FreeType released a patch in version 2.13.0 on February 9, 2023; Facebook advised developers and administrators to upgrade immediately. The exact details of how the vulnerability was exploited and whether Facebook's platforms were directly impacted are not clear. Facebook reaffirmed its commitment to enhancing security across online platforms by reporting and addressing such vulnerabilities in open-source software. The widespread use of FreeType underscores the importance of rapid and thorough patch management practices in preventing exploitations.

Over 300 organizations within U.S. critical infrastructure sectors were impacted by Medusa ransomware, as reported in a joint advisory by CISA, FBI, and MS-ISAC. Affected sectors include medical, education, legal, insurance, technology, and manufacturing industries. Recent shifts transformed Medusa ransomware from a solely operated scheme to a Ransomware-as-a-Service (RaaS), employing an affiliate model while maintaining control over critical operations. The advisory urges organizations to adopt recommended mitigation strategies to reduce the likelihood and consequences of future ransomware attacks. Medusa first emerged in January 2021 and notably increased its activities by 2023, including initiating a leak site to extort its victims. The ransomware group has claimed over 400 victims globally, including high-profile leaks after attacks on entities like Toyota Financial Services. It's highlighted that multiple unrelated cybercrime operations use the "Medusa" name, creating confusion in public reporting. The advisory also mentions previous alerts about widespread Ghost ransomware attacks affecting various sectors across more than 70 countries.

KoSpy, a new Android spyware, was linked to North Korean threat group APT37 and discovered in apps on Google Play and APKPure. The malicious apps were discovered providing limited legitimate functionalities while installing spyware in the background. Lookout researchers traced the spyware campaign to APT37 through IP addresses and domains connected to other North Korean operations. Once installed, KoSpy avoids detection by retrieving encrypted configurations and connects to a command and control server for further instructions. The spyware targets data collection and commands can be dynamically updated, posing serious privacy and security risks to users. Despite the removal of these apps from Google Play and APKPure, affected users must manually uninstall them and potentially perform a factory reset. Google has taken measures to mitigate further risks by removing related apps and Firebase projects, enhancing protection with Google Play Protect. The targeted deployment of these apps was specifically aimed toward Korean and English-speaking users, indicating a focused cyber-espionage effort.

Aleksej Besciokov, co-founder/administrator of Garantex, was arrested in Kerala, India on charges including money laundering and violating economic sanctions. U.S. authorities charged Besciokov and associate Aleksandr Mira Serda with using their crypto exchange to facilitate criminal activities such as hacking and terrorism. Garantex allegedly processed transactions linked to darknet markets and cybercrime groups, notably including more than $60 billion in crypto transactions since U.S. sanctions in April 2022. Recent U.S. and EU actions included seizing Garantex domains and servers, and freezing over $26 million in funds linked to money laundering. Tether and the EU have taken measures against Garantex, blocking digital wallets and including the exchange in broad sanctions targeting Russian entities. U.S. Secret Service and DOJ, along with German and Finnish authorities participated in operations against Garantex, highlighting international cooperation in cybersecurity enforcement.

Mozilla advises Firefox users to update their browsers to prevent disruptions caused by an expiring root certificate on March 14, 2025. The expiring certificate was used to sign add-ons and other content for Firefox, posing significant security and usability risks to outdated versions. Users must upgrade to Firefox version 128 or later, and ESR version 115.13 or later, to avoid potential security vulnerabilities and performance issues. The expiration affects all platforms (Windows, Android, Linux, macOS) except iOS, which uses a separate certificate management system. Mozilla emphasizes the importance of verifying current browser versions via the 'Menu > Help > About Firefox' path, which also prompts an update check. Older browser versions can still function post-certificate expiration, but Mozilla strongly advises against this due to high security risks. Mozilla has established a support thread to assist users facing update issues and to guide users of Firefox-based browsers like Tor, LibreWolf, and Waterfox to ensure they are updated.

Microsoft has patched a zero-day vulnerability in the Windows Kernel, identified as CVE-2025-24983, which has been exploited since March 2023. The vulnerability originated from a use-after-free issue allowing attackers with low privileges to escalate to SYSTEM privileges without user interaction. The exploits, deemed high complexity due to the necessity of winning a race condition, targeted systems using PipeMagic malware. Affected Windows versions include unsupported Windows Server 2012 R2 and Windows 8.1, along with supported older versions like Windows Server 2016 and Windows 10 build 1809. The PipeMagic malware, used in these exploits, is known for data exfiltration, providing remote access, and facilitating the deployment of additional malicious payloads. Other actively exploited zero-day vulnerabilities were also patched during the same update cycle in March 2025. CISA has ordered Federal Civilian Executive Branch agencies to patch identified vulnerabilities by April 1st to mitigate potential risks to federal systems.

Chinese espionage group UNC3886 targeted Juniper Networks’ routers, deploying custom backdoors for espionage. Mandiant's analysis reveals these attacks aim to compromise defense, tech, and telecommunication sectors primarily in the US and Asia. The backdoors, embedded with unique capabilities, include functions to disable logging, enabling stealth operation on compromised devices. Attack strategies evolved to compromise network perimeter devices, exploiting vulnerabilities in Junos OS to establish persistent remote access. UNC3886 employs various tools like TinyShell-based backdoors, rootkits (Reptile, Medusa), and tools for hijacking SSH credentials (PITHOOK) and anti-forensics (GHOSTTOWN). Emphasis on long-term access and minimal detection risks, showing sophisticated knowledge of Junos OS and stealth tactics. Mandiant and Juniper Networks recommend upgrading devices to the latest firmware to mitigate risks and counter the malware used by UNC3886.

Chinese espionage group UNC3886 exploited vulnerabilities in end-of-life Juniper Networks routers using custom backdoors and malware for unauthorized root access. The compromised Juniper MX routers were running outdated hardware and software; Juniper has since released a patch to counter these vulnerabilities. Google Threat Intelligence and Juniper Networks reported that the attacks targeted routers using Junos OS, focusing on organizations within defense, technology, and telecommunication sectors primarily in the US and Asia. Although fewer than ten organizations are confirmed affected, more are suspected to discover breaches as findings are published. Mandiant's investigation revealed no evidence of data exfiltration but confirmed significant router compromise within victim environments. The attackers maintained long-term access to networks by introducing malware that bypassed system protections, enabling persistent intrusion without immediate detection. UNC3886's activities encompass targeting both network edge devices and internal networking infrastructure, crucial for Internet Service Providers. Juniper Networks collaborates closely with Mandiant and industry partners to strengthen security measures and mitigate emerging threats, urging customers to stay updated through security advisories.

Chinese cyberespionage group UNC3886 installed custom backdoors on end-of-life Juniper Networks' Junos OS routers. The hacks were executed using variants of the TinyShell malware, targeting routers that no longer receive security updates. Mandiant, a cybersecurity firm, identified and linked the backdoor placements to UNC3886 in mid-2024, emphasizing the sophisticated nature of these attacks. While Junos OS has file integrity protection called 'Veriexec', the attackers managed to circumvent this by injecting malicious code into the memory of trusted processes. The backdoors employed distinct command and control mechanisms for stealth and persistence, making detection and mitigation challenging. Juniper Networks has not released specific patches but has provided a list of mitigation strategies and updated signatures for their Juniper Malware Removal Tool. Replacement of the compromised routers with newer models supporting the latest firmware is recommended for heightened security. The report includes YARA and Snort/Suricata rules for detecting the compromises, along with a comprehensive list of indicators of compromise (IoCs).

Employees frequently handle sensitive information across SaaS applications, transferring and copying data which poses significant data breach risks. Traditional data loss prevention (DLP) solutions are inadequate for browser-based activities where data handling blurs between personal and corporate environments. Browser activity, especially involving SaaS applications, has become the main avenue for data leaks as employees use both personal and business accounts interchangeably. Data loss primarily occurs in transit rather than at rest, highlighting the need for enhanced protective measures for data in motion through real-time browser monitoring and enforcement. Browser extensions and the usage of personal applications without clear policies contribute to unmanaged data exposure and complicate existing security measures. Implementing robust, browser-specific DLP policies and real-time threat detection capabilities is critical for ensuring data security in modern enterprise environments. Keep Aware offers solutions with features like click-by-click telemetry and DOM-tree analysis for proactive data breach prevention and immediate threat response within browsers.

Nick Lawler, GM of Littleton Electric Light and Water Departments, was informed by the FBI about a breach by Volt Typhoon, a Chinese hacking group. Despite initial skepticism, confirmation by the FBI and Homeland Security validated the breach, occurring during Thanksgiving week 2023. Volt Typhoon, involved in stealth operations against critical US infrastructure, had used a buggy firewall for initial access; the flaw was known but not patched by LELWD’s service provider. LELWD, part of a government-funded cybersecurity program, had detection systems by Dragos, which identified unusual network traffic linked to China. Federal government officials installed additional monitoring systems on the utility’s network and left a security hole open intentionally for monitoring purposes. The compromised network was eventually cleaned, and the firewall patched; federal tests later confirmed network defenses were effective. Lawler reflected on the motives behind targeting a small utility, suspecting reconnaissance and espionage, indicative of broader national security threats.

GreyNoise intelligence firm reports a coordinated spike in SSRF vulnerability exploitation on March 9, 2025. Attackers have targeted multiple countries, including the U.S., Germany, Singapore, India, Lithuania, Japan, and Israel. At least 400 IP addresses actively exploiting various SSRF CVEs; many IPs target different vulnerabilities concurrently. This pattern suggests that the activities are likely structured, involve automation, or are part of pre-compromise scouting. SSRF attacks enable perpetrators to map internal networks, access vulnerable services, and steal credentials from cloud services. Experts highlight the necessity for immediate application of latest patches, restriction of unnecessary outbound connections, and vigilance against suspicious outbound requests.

McKinsey revised its prediction on job displacement by AI to 92 million by 2030, down from 375 million. AI is seen as augmenting the capabilities of penetration testers, not replacing them. Automation through AI will handle repetitive tasks, allowing pentesters to focus on high-value, complex aspects of security testing. AI advancements are lowering entry barriers for less experienced testers, enabling them to perform sophisticated tasks without deep technical knowledge. In the field of social engineering, AI improves the realism of phishing simulations, aiding in better preparation against real-world attacks. AI's role in pentesting is viewed as a partner that enhances efficiency and effectiveness of tests while demanding creativity and deep technical insights from human testers. The collaborative use of AI in pentesting leads to a more empowered profession, making testers highly adept and competitive.

The UK's COO Cat Little acknowledged the need for competitive salaries to attract top cyber talent in government roles. Current public sector pay is too low compared to the private sector, limiting recruitment of skilled cybersecurity professionals. A National Audit Office report criticized the UK government's slow progress towards cybersecurity resilience by 2025. The debate over public sector salaries heightened when former chief of staff Sue Gray earned more than the Prime Minister. Government aims to replace high-cost contractors with permanent, skilled officials like CISOs and CIOs for better cost efficiencies. Highlighted was the strain put on resources by ransomware attacks, specifically citing financial impact on the British Library in 2023. Legacy systems within the government are immense and varied, with hundreds classified as out-of-date, compromising cybersecurity. The decentralized nature of data about legacy systems and information sharing leads to gaps in understanding and addressing these vulnerabilities.