Daily Brief

CISA has identified three critical vulnerabilities in Ivanti Endpoint Manager (EPM) being actively exploited. The vulnerabilities, cited as CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161, allow remote unauthenticated full server compromise through path traversal flaws. Originally reported by Horizon3.ai in October and patched by Ivanti in January, proof-of-concept exploits were released shortly after. CISA has mandated Federal Civilian Executive Branch agencies to secure their systems against these flaws by March 31. Although the directive targets federal agencies, CISA advises all organizations to prioritize these vulnerabilities in their cybersecurity efforts. Multiple Ivanti vulnerabilities have been previously exploited in widespread attacks, including zero-day exploits targeting Ivanti’s VPN and gateway appliances. A suspected espionage group with ties to China has been exploiting Ivanti products to deploy malware since the beginning of 2025.

The Ballista botnet exploits a high-severity RCE vulnerability in unpatched TP-Link Archer routers, specifically model AX-21. Over 6,000 devices globally have been infected, with significant impacts in Brazil, Poland, the UK, Bulgaria, and Turkey. The botnet was first detected in action by the Cato CTRL security team on January 10, 2025, with ongoing activities observed as recent as February 17. Malware linked to Ballista is capable of command injection, enabling remote code execution and spreading to additional devices. The attacks initiate via a malicious shell script that downloads and executes the main malware, affecting various system architectures. Ballista establishes an encrypted C2 communication channel, allowing attackers to execute further remote commands and potentially engage in DoS attacks. Researchers suggest the malware is still under development, indicated by a shift from a static IP C2 address to using TOR network domains. Targets include sectors such as manufacturing, healthcare, and technology across multiple countries, including the US, Australia, China, and Mexico.

Organizations often face a false sense of security despite using updated tools and passing compliance audits. Adversarial Exposure Validation (AEV) tests cybersecurity defenses under real-world conditions to ensure true resilience against attacks. Compliance and risk scores usually provide theoretical safety but fail to pinpoint actual vulnerabilities that attackers exploit. AEV offers a continuous cybersecurity stress test, moving beyond mere assumptions to real-world validation of security measures. The practice is endorsed by leading CISOs and involves assuming breaches to proactively test and reinforce defenses throughout the entire attack process. Gartner predicts that continuous exposure validation will soon be recognized as a suitable alternative to traditional pentesting in regulatory frameworks. Organizations implementing AEV are projected to suffer significantly fewer breaches by focusing on true security needs. Picus Security, a leader in security validation, integrates automated testing with breach simulations to enhance defense effectiveness.

Steganography is leveraged in cyberattacks to embed malicious payloads into image files, evading traditional security detections. The XWorm malware campaign initiates with a phishing PDF that links to a deceptive download, followed by modifications to Windows Registry settings. Upon system restart, a script triggers, utilizing PowerShell to download a VBS file, which appears harmless, hiding the real threat. The actual malware, disguised in an image as a Base64-encoded executable, remains undetectable to many antivirus programs due to steganography. Once the malware is extracted and executed, it gives attackers remote control over the infected system, allowing for data theft and system command execution. Detection and analysis of such steganography-based threats are possible using interactive sandbox environments like ANY.RUN, which provide real-time analysis and visualization of hidden processes. Proactive real-time threat monitoring and testing in controlled environments are recommended to enhance security postures and preemptive threat mitigation.

Researchers have identified a new type of attack, named MINJA, that manipulates the memory of AI agents through normal user interactions. This attack does not require administrative access to AI systems, making it more broadly applicable and dangerous. MINJA involves sending sequences of prompts that subtly alter AI memory, misleading the AI during user interactions. The attack has been tested on several AI models, including those used in healthcare and retail, using OpenAI's GPT-4 technology. Significant concerns raised as it demonstrates over 95% injection success rate in experiments, indicating a high potential for widespread disruption. The findings underline the need for improved security features around the memory functions of AI models to prevent such manipulations. The research calls for increased vigilance and development of mitigation strategies to protect AI agents from memory-based attacks.

Advanced Persistent Threat (APT) group SideWinder targets maritime and logistics sectors along with nuclear plants in Asia, Middle East, and Africa. Attacks observed across multiple countries including Bangladesh, Egypt, and Vietnam, with expanded targets involving diplomatic entities and infrastructure. SideWinder reputed for upgrading tools to evade detection and maintain network persistence. Uses spear-phishing and malware, like the StealerBot, to infiltrate systems via known security vulnerabilities such as CVE-2017-11882. Kaspersky highlights continuous monitoring and rapid adaptation of SideWinder's tactics following detection. Efforts by security firms and entities to document and analyze the threat show a pattern of sophisticated, timed attacks aimed at sensitive data extraction. SideWinder's activities highlight significant cybersecurity threats to international relations, energy security, and economic sectors globally.

Taiwanese company Moxa has released a security update to fix a critical vulnerability in its PT switches, allowing authentication bypass. The flaw, identified as CVE-2024-12297, received a high-severity CVSS v4 score of 9.2, indicating significant risk. Attackers could exploit the vulnerability to perform brute-force attacks or MD5 collision attacks to compromise device security. Affected Moxa PT switch versions require users to contact Moxa Technical Support for patching. Recommendations for mitigating risks include using firewalls, network segmentation, multi-factor authentication, event logging, and monitoring for unusual network activities. Moxa also recently patched similar critical vulnerabilities in its Ethernet switches and other network devices, highlighting ongoing security efforts. The discovery of the vulnerability was credited to Artem Turyshev of Rosatom Automated Control Systems (RASU).

CISA has updated its Known Exploited Vulnerabilities catalog with five new entries concerning Advantive VeraCore and Ivanti Endpoint Manager (EPM) due to active exploitation evidence. The vulnerabilities in VeraCore have been actively exploited by a Vietnamese threat group known as XE Group, which uses reverse shells and web shells for sustained remote access. Ivanti EPM's vulnerabilities have been publicly detailed, with reports of real-world attacks and a recent proof-of-concept exploit demonstrating credential coercion vulnerabilities. Federal Civilian Executive Branch (FCEB) agencies are urged to implement necessary security patches for these vulnerabilities by March 31, 2025. Concurrently, threat intelligence firm GreyNose has reported a critical exploit targeting PHP-CGI, notably affecting several countries with a high concentration of attack IPs originating from Germany and China. GreyNose notes a significant coordinated effort in February to scan and exploit networks across multiple nations, indicating the scale and organization of the cyber attacks.

New York State has filed a lawsuit against Allstate Insurance for poorly secured websites that exposed thousands of driver's license numbers. Attacker-created bots exploited the vulnerability in Allstate's National General quoting website, leading to significant personal data theft. The quoting tool displayed full driver's license numbers in plaintext for anyone using the site, whether legitimately or fraudulently. Bot attacks harvested personal data from at least 12,000 individuals without detection for over two months. Despite resolving the security weaknesses, Allstate allegedly failed to notify over 9,100 affected New Yorkers in a timely manner, violating state laws. A second breach occurred via a tool for insurance agents, which lacked robust access controls, affecting another 187,000 people. The lawsuit criticizes National General's prioritization of profit over data security, leading to inadequate safeguards and password management practices. New York seeks penalties and an injunction against Allstate to prevent future violations and to address failures in consumer data protection notifications.

Google's second-generation Chromecast and Chromecast Audio devices are experiencing an outage due to an expired security certificate. The issue, identified on March 9, 2025, prevents devices from securely connecting to Google’s backend systems. Users reported an "untrusted device" error, blocking content casting to TVs and other displays. Google advises against factory resetting the devices, as the issue is related to certificate expiration, not device settings. A temporary workaround involves setting a device's date prior to the certificate's expiry; however, this method has mixed success and may not work for all streaming services. Google, having discontinued the Chromecast line in favor of Google TV Streamer, still faces challenges with support for older devices. Similar incidents of expired certificates have affected other tech firms like Microsoft and Cisco in recent years.

Dark Storm hacktivist group claimed responsibility for DDoS attacks that led to major outages of X platform worldwide on Monday. Elon Musk, owner of X, suggested a "massive cyberattack" with significant resources behind it, possibly implicating a large group or a nation-state. Following the attack, X activated DDoS protection measures provided by Cloudflare, implementing CAPTCHA checks to mitigate suspicious activity. Dark Storm has a history of targeting entities in Israel, Europe, and the US, aligning with pro-Palestinian motives. The group posted evidence of the DDoS attack on their Telegram channel, linking to check-host.net as proof of the ongoing disruption. Cloudflare's involvement has bolstered X’s defenses by screening excessive requests from single IP addresses and displaying CAPTCHAs across their help site. The incident highlighted the increasing capability of hacktivist groups to disrupt large technology platforms using advanced botnet tactics.

Americans lost a record $12.5 billion to fraud in 2024, marking a 25% increase from the previous year according to the FTC. Investment scams were the top fraud category, causing approximately $5.7 billion in losses with a median loss exceeding $9,000 per incident. Imposter scams were the second most costly, resulting in losses around $2.95 billion. Consumers aged 20 to 29 filed 44% of all fraud reports, indicating higher susceptibility compared to individuals over 70. Losses from job scams and fake employment agencies surged from $90 million in 2020 to $501 million in 2024. Scams initiated online caused over $3 billion in losses, while traditional contact methods resulted in approximately $1.9 billion. Email remained the leading method of initial contact by scammers, followed by phone calls and text messages. The FTC's Consumer Sentinel Network added 6.5 million consumer reports in 2024, including significant numbers concerning investment and imposter frauds.

The FTC is distributing over $25.5 million to victims misled by tech support scams operated under the brands Restoro and Reimage. These companies were fined $26 million for deceptive marketing practices, including fake system warnings and unnecessary repair services. Consumers affected by these scams will receive notification emails for PayPal payments that must be redeemed within 30 days starting March 13. The scam involved deceptive pop-ups and ads, making false claims about computer health which invariably showed problems that didn't exist. Victims were coerced into purchasing costly repair plans and providing remote access to their computers under false pretenses. Restoro and Reimage cannot use deceptive telemarketing tactics or misrepresent computer issues as per FTC order. FTC’s undercover operations confirmed the deceptive practices by documenting false diagnostics and hard sells on expensive repair services. This payout follows other FTC actions targeting misleading business practices and privacy violations by different firms.

Sidewinder, a prominent APT group known for targeting military and government entities, has expanded its focus to include maritime and nuclear organizations. Detected increased activities in Africa, with recent campaigns concentrated in Djibouti and Egypt, indicating a strategic shift in geographic and sector focus. The group continues to employ old vulnerabilities through spear-phishing attacks, delivering malware via documents that exploit remote code execution bugs. Malware like “Backdoor Loader” and “StealerBot” are used to infiltrate and extract data from the targeted organizations; StealerBot remains a key tool since its discovery in 2024. Attack documents are specifically tailored to look legitimate and relevant to the targeted industry, enhancing the likelihood of successful phishing. Despite using older methods, Sidewinder’s ability to quickly update its tools to evade detection showcases its advanced technical capabilities. Kaspersky labels Sidewinder as a highly advanced and dangerous adversary, capable of compromising critical assets and developing sophisticated malware.

Switzerland's National Cybersecurity Centre (NCSC) has mandated a new rule requiring critical infrastructure entities to report cyberattacks within 24 hours. This regulation, embedded in the Information Security Act (ISA), is set to be enforced starting April 1, 2025, to counter the rising number of cyber threats. Affected sectors include utilities, transportation, and local government agencies, among others. Entities failing to comply with the reporting mandate by October 1, 2025, may face fines up to CHF 100,000 ($114,000). Reports can be filed via an online form or email, with a preliminary report due within 24 hours followed by a detailed report within 14 days. The amendment aims to align with the EU’s NIS Directive, enhancing cybersecurity across essential services. A leniency period is provided to help organizations adjust to the new requirements before penalties are enforced.