Daily Brief

Researchers discovered undocumented commands in the ESP32 chip, potentially affecting over 1 billion devices. These hidden commands allow unauthorized data access, device spoofing, and could enable attacks across networks. The ESP32 chip, vital for Wi-Fi and Bluetooth in IoT devices, could be exploited to impersonate devices and bypass security controls. The potential risks highlighted include both supply chain attacks and malicious OEM implementations. A new custom USB Bluetooth driver created by researchers facilitated this discovery by allowing raw Bluetooth traffic access. The undocumented commands include capabilities for memory manipulation and packet injection. Tracking of this security issue is now under CVE-2025-27840, indicating a serious vulnerability. Physical device access poses a high threat, but remote exploitation is plausible under certain conditions.

Davis Lu, a former software developer, was convicted for intentionally damaging his ex-employer Eaton Corp’s computer systems using malware and a "kill switch." After a demotion post-2018 corporate restructuring, Lu enacted revenge through disruptive software that crashed production servers and blocked user access. His sabotage included infinite loops in code draining server resources and deleting coworker profiles to cripple operations. The kill switch, named "IsDLEnabledinAD," was activated upon his termination, locking thousands of employees out of company systems. Further malicious activities included the deletion of encrypted data from his company laptop upon returning it, following his termination. Lu's actions, driven by searches on escalating privileges and hiding processes, led to significant financial losses for Eaton Corp, estimated in the hundreds of thousands of dollars. He faces up to 10 years in prison for a charge of causing intentional damage to protected computers; a sentencing date remains undecided.

Spanish researchers discovered undocumented backdoor commands in Espressif's ESP32 chip, used in over a billion IoT devices. The backdoor could allow attackers to spoof trusted devices, access unauthorized data, and pivot to other network devices. The findings were presented at the RootedCON security conference in Madrid by researchers from Tarlogic Security. This backdoor also poses risks for long-term persistence attacks, which could affect the security of interconnected devices. The new tool developed by Tarlogic enables direct, raw access to Bluetooth traffic, aiding in the discovery of these vulnerabilities. In total, 29 undocumented commands were found, lending to potential malicious use such as memory manipulation and packet injection. Espressif, the chip manufacturer, has not documented these commands, raising concerns about intentional backdoor access or overlooked security flaws.

Apple has updated the XNU kernel used in iOS and macOS to implement "exclaves," enhancing security through isolation of key functions. Exclaves in Apple’s context are isolated domains that protect crucial operations within macOS, preventing access even if the kernel is compromised. The feature is part of Apple's strategy to combine the security benefits of a microkernel architecture with the XNU's existing monolithic structure. Specific resources within exclaves are protected using the Secure Page Table Monitor introduced with the Apple A15 chip. A new Secure Kernel (SK) has been developed to execute exclave services, with architecture likely inspired by, but not directly copied from, the seL4 microkernel. The security revamp is aimed at mitigating risks associated with AI workloads and the increased complexity of modern computing environments. The enhancements make the operating system more secure by compartmentalizing sensitive services and limiting potential breach impacts. According to sources, although the project is substantial, Apple has not yet publicized it extensively as it is still in progress and pending full confidence in security claims.

Cybercriminals are exploiting YouTube's copyright strike policy by fooling creators into promoting malware-laced Windows Packet Divert (WPD) tools. Attackers pose as developers, threatening YouTube channel owners with channel strikes and takedown unless they comply by embedding specific malware links in their videos. The malware, disguised as WPD tools, includes trojanized versions hosting a cryptominer downloader, primarily targeting Russian users. Over 400,000 views were recorded on a compromised YouTube video, leading to around 40,000 downloads before the malicious link was removed. The Python-based malware loader in the archive is designed to bypass antivirus detection and includes anti-sandbox and anti-VM capabilities. Once installed, the malware disables Microsoft Defender, establishes persistence, and eventually downloads a cryptominer which mines various cryptocurrencies. Kaspersky warns that such practices not only jeopardize user security but could lead to broader and more severe cyber threats. Users are advised to refrain from downloading software from non-official URLs prompted in YouTube videos or descriptions to avoid falling victim to such schemes.

Davis Lu, a senior software developer, was found guilty of intentionally damaging his former employer's computer systems. After being demoted during a corporate restructuring, Lu introduced malware that led to significant system disruptions. He implemented a “kill switch” that locked thousands of employees out of their accounts when his employment was terminated. The disruptions caused hundreds of thousands of dollars in damages and operational challenges globally. The malware Lu created included applications whimsically named after terms implying destruction and incapacitation. Federal investigators discovered his malicious activities after forensic analysis of the internal servers and his company laptop. Lu's search history contained queries about escalating privileges and deleting data, indicating premeditation. He faces up to ten years in prison, with sentencing scheduled for a later date.

U.S. authorities have successfully seized over $23 million in cryptocurrency originally stolen via a hack of a password manager. The theft, amounting to $150 million, was linked to a 2022 breach of the password manager LastPass. Hackers used stolen private keys from LastPass to access and siphon funds from a Ripple crypto wallet owned by a prominent individual. The stolen funds were traced to multiple cryptocurrency exchanges, leading to the recovery of a substantial amount of the stolen cryptocurrency. Investigators determined the attack involved decryption of data from the breached password manager, rather than hacking the victim’s personal devices. No specific individuals have been publicly identified as perpetrators, but the operation likely required collaboration across several malicious actors. The Department of Justice has filed a forfeiture complaint to handle the legal proceedings related to the recovery of the stolen assets.

The US Secret Service-led operation seized the Russian crypto exchange Garantex, freezing assets and coordinating with German and Finnish law enforcement. The Justice Department has charged two alleged Garantex administrators with facilitating money laundering activities linked to ransomware groups and other criminal entities. Over $96 billion in cryptocurrency transactions were processed by Garantex since 2019, including funds related to ransomware and stolen money from blockchain networks. The seized operations included three key Garantex domain websites and various servers across Germany and Finland that supported the exchange. Defendants Aleksej Besciokov and Aleksandr Mira Serda are accused of laundering criminal proceeds, violating sanctions, and operating without a proper license. The indictment also reveals that the Garantex platform was used to transfer funds to illicit activities, including darknet drug markets and money laundering services. Despite the criminal charges, the likelihood of the defendants appearing in US court is low due to their residence in Russia and the UAE.

A critical vulnerability in Edimax IC-7100 IP cameras is currently being exploited by a botnet. The flaw described is a severe command injection vulnerability, identified as CVE-2025-1316, with a 9.3 CVSS score. Akamai researchers discovered the issue and have observed ongoing malicious activities targeting these devices. Edimax has not yet responded to multiple notifications from the U.S. Cybersecurity & Infrastructure Agency (CISA) regarding the flaw. The IP camera model affected, released in October 2011, is now listed as a legacy product and may not receive updates or support. Attackers exploit the vulnerability to perform activities such as launching DDoS attacks, trafficking malicious proxy traffic, and compromising other networked devices. CISA advises users to minimize internet exposure for these devices, apply network segmentation, and use updated VPNs for secure remote access. Indicator signs of compromise include device performance issues, overheating, changes in settings, and unusual network traffic patterns.

Steven R. Hale, a 37-year-old resident of Memphis, was charged with stealing and distributing DVDs and Blu-rays of unreleased movies. Hale was employed by a multinational company that manufactured and distributed movie discs for major studios. The stolen content includes high-profile films such as "F9: The Fast Saga", "Venom: Let There Be Carnage", and "Spider-Man: No Way Home". Hale allegedly ripped digital copies from these discs and bypassed encryption to share them online before their official release. The unauthorized distribution led to tens of millions of downloads and significant financial losses for the copyright owners. Charges against Hale include one count of interstate transportation of stolen goods and two counts of criminal copyright infringement. If convicted, he faces up to 20 years in prison, with 10 years for the stolen goods count and five years for each copyright infringement count.

U.S. authorities have charged the administrators of Russian crypto-exchange Garantex with money laundering and violating sanctions. Defendants Aleksej Besciokov and Aleksandr Mira Serda have been accused of facilitating criminal proceeds through the Garantex platform and have faces charges that could lead to maximum penalties of up to 20 years. Garantex has processed transactions worth at least $96 billion since 2019, involving funds linked to criminal activities such as hacking and drug trafficking. The U.S. Justice Department seized Garantex's domains and servers and froze over $26 million in connection with the investigation. The actions are part of coordinated efforts with law enforcement in Germany and Finland. European sanctions have also impacted Garantex, leading to the suspension of its services after Tether blocked the company’s digital wallets. Despite previous sanctions and losing its license in Estonia due to compliance failures, Garantex continued operations through questionable means.

Two individuals, Tyrone Rose and Shamara Simmons, have been arrested and charged with grand larceny and computer tampering related to the theft of over 900 event tickets. The accused exploited a vulnerability in an offshore ticketing system to illegally acquire and sell tickets to events including Taylor Swift concerts, raking in approximately $635,000. The cybercrime operation potentially involved multiple individuals across locations in Kingston, Jamaica, and Queens, New York. The stolen tickets were sold on StubHub in the US at significant mark-ups, impacting several high-profile events beyond Taylor Swift shows, such as Adele and Ed Sheeran concerts, NBA games, and the US Open. Queens District Attorney Melinda Katz highlighted the collaborative efforts of her office’s Cybercrime and Cryptocurrency Unit and industry partners like StubHub to apprehend the criminals. If convicted, Rose and Simmons face between three to fifteen years in prison. StubHub remains vigilant against security threats, having previously faced similar security challenges with customer accounts and fraudulent ticket sales.

Ragnar Loader is a multifaceted malware toolkit utilized by cybercrime groups such as Ragnar Locker, FIN7, and FIN8 for persistent system access and ransomware deployment. Initially documented by Bitdefender in 2021, Ragnar Loader has evolved with new features that amplify its modularity and stealth to avoid detection. The toolkit enables long-term footholds in targeted systems using sophisticated techniques like PowerShell payloads, encryption, and process injection. PRODAFT reports that the malware includes capabilities for reverse shell creation, local privilege escalation, and remote desktop access through a command-and-control interface. Ragnar Loader features advanced anti-analysis measures like dynamic process injections and token manipulations, enhancing its resilience and operational stealth. It allows threat actors to maintain control over compromised systems and facilitate lateral movement within the network using additional PowerShell-based tools. The malware also supports backdoor functionalities like running DLL plugins and code for file read and exfiltration, further complicating cybersecurity defenses. Ragnar Loader's increasing complexity highlights the growing sophistication of ransomware ecosystems, representing a significant threat to global cybersecurity.

NTT Communications Corporation disclosed a data breach impacting nearly 18,000 corporate customers. Unauthorized access to NTT's systems was confirmed on February 5, 2025, leading to a potential leak of customer information. Hackers targeted the 'Order Information Distribution System,' accessing information on corporate accounts, though personal consumer data remained secure. Although initial access was blocked by February 6, further examination revealed attackers had moved laterally to another system device by February 15. This incident follows a history of cybersecurity challenges for NTT, including a major DDoS attack in January 2025 and a previous data breach in May 2020. NTT has decided against individual notifications to affected customers, opting for a public announcement as the primary means of communication. The breach had no impact on NTT Docomo's contracts for corporate smartphones and mobile phones.

Microsoft has identified a large-scale malvertising campaign affecting over 1 million devices globally, primarily via illegal streaming sites. This campaign funnels users through a complex redirection scheme starting from malvertising to multiple platforms including GitHub, used as an initial payload distribution site. Victims are subjected to multiple types of malware including Lumma Stealer and Doenerium, and data-stealing tools like NetSupport RAT and AutoIT scripts. The attackers exploit common applications and system tools such as PowerShell and JavaScript to execute a sophisticated sequence of collection and exfiltration of sensitive data. Significant emphasis has been placed on extracting financial information, including scanning for cryptocurrency wallets. The malware operation has been noted for its stealth, using living-off-the-land binaries (LOLBAS) for movement across networks and maintaining persistence. A related cybersecurity concern highlighted involves fake AI chatbot sites (e.g., DeepSeek and Grok) tricking users into downloading malware through social media platforms.