Daily Brief

A new, undocumented polyglot malware, named Sosano, is attacking aviation, satellite communication, and critical transport sectors in the UAE. Proofpoint linked these attacks to 'UNK_CraftyCamel,' a group with potential ties to Iranian-affiliated cyber groups TA451 and TA455, focusing on cyber-espionage. The malware employs polyglot techniques, mixing file formats to evade detection, initiating via spear-phishing emails from a compromised Indian electronics firm. Victims receive emails containing a malicious URL which leads to a spoofed site to download an archive with a deceptive LNK file and polyglot PDFs containing hidden malicious code. The Sosano backdoor executed from these files connects to a command-and-control server, allowing remote operations, and showing significant capabilities despite its simplistic construction. Sosano’s presence is persistent on the infected devices, emphasizing the need for sophisticated detection tools capable of identifying multiple file formats and user education to prevent opening suspicious files.

The Polish Space Agency (POLSA) experienced a cybersecurity incident, leading to the shutdown of its systems. POLSA disconnected from the Internet to contain a breach and secure data following the attack. After discovering the breach, POLSA informed pertinent authorities and launched an inquiry into the incident's impact. The nature of the security incident has not been disclosed, nor has the agency attributed the attack to any specific threat actor. The Register reported that POLSA staff resorted to using phones after the email systems were compromised. Polish Computer Security Incident Response Teams (CSIRT NASK and CSIRT MON) are aiding POLSA in restoring the affected services. Intensive efforts are ongoing to identify the perpetrators behind the cyberattack, with updates promised on a regular basis. POLSA, established in 2014, is a vital component of the Polish space and defense sectors, closely collaborating with the ESA and other international partners.

Hunters International ransomware gang targeted Tata Technologies in January, compromising parts of their IT systems. The gang alleges to have exfiltrated 1.4 terabytes of data, threatening to publicly release it if a ransom isn't paid. Despite the attack, Tata Technologies reported minimal disruption to operations, with client services remaining unaffected. Tata Technologies is engaging in restoration efforts and conducting an internal investigation with expert assistance. Over a month has passed without additional updates from Tata, meanwhile, Hunters International has publicly claimed responsibility on the dark web. Tata Technologies, a major player in engineering and digital solutions for the manufacturing sector, employs over 12,500 people across 27 countries. Hunters International has a history of high-profile attacks, including ones against U.S. and Japanese firms, and has shown a pattern of aggressive extortion tactics.

Broadcom has released updates for critical security vulnerabilities in VMware ESXi, Workstation, and Fusion. The identified flaws were actively exploited, allowing for code execution and information disclosure. Affected versions include multiple iterations of VMware's software products. The exploitation of these vulnerabilities has been confirmed by Broadcom, with further details on the attacks or the attackers undisclosed. Microsoft Threat Intelligence Center was credited with the discovery and reporting of these security issues. The urgency to apply the new security patches is emphasized to ensure maximum protection against potential threats.

Broadcom announced the discovery of three exploited VMware zero-days, raising concerns in the cybersecurity community. Identified vulnerabilities impact several VMware products, including ESXi, vSphere, and Cloud Foundation, potentially affecting a wide range of enterprise operations. Attackers leveraging these flaws can escalate from a compromised virtual machine to the host system, increasing the potential for significant breaches. One of the flaws, a VCMI heap overflow, allows code execution on the host, while another facilitates arbitrary kernel writes, both critical for sandbox escapes. Microsoft's Threat Intelligence Center initially reported the zero-days being actively exploited in the wild. VMware products are frequently targeted by both ransomware groups and nation-state actors due to their prevalence in managing sensitive data. Recent history shows a pattern of recurrent VMware vulnerabilities being exploited, including two significant exploits patched last September. Broadcom had previously reported exploitation of VMware vulnerabilities by Chinese state hackers, demonstrating the ongoing importance of securing these environments from cyber threats.

Google released patches for 43 Android security vulnerabilities in its March 2025 update, which includes remedies for two exploited zero-days. Serbian authorities used a zero-day vulnerability, CVE-2024-50302, to unlock confiscated devices. This flaw resides in the Linux kernel driver for Human Interface Devices. The exploit was developed by Israeli company Cellebrite as part of a zero-day chain also involving other vulnerabilities in USB functionalities. Amnesty International's Security Lab discovered the exploitation through device log analysis from a device unlocked by Serbian officials. Google has fixed another serious zero-day (CVE-2024-43093), which allows privilege escalation in Android Framework without user interaction. The latest security update also addresses 11 vulnerabilities allowing remote code execution on affected devices. Google has provided these security updates directly to OEM partners for implementation, with Google Pixel devices receiving immediate updates. Other manufacturers may have varying update schedules. Prior security updates in November also tackled two zero-days, with one (CVE-2024-43047) being used in spyware attacks targeted at activists and journalists by Serbian government.

Credential stuffing attacks, already problematic, could worsen with new AI technologies that automate and scale these attacks. Stolen credentials, the most common attack method in 2023/24, continue to be readily available, with recent dumps containing millions of compromised credentials. High-profile breaches, like those experienced by Snowflake customers, illustrate the ongoing risks and exploitation of stolen credentials. Traditional web application safeguards, such as CAPTCHA, are being circumvented by advanced AI agents capable of interacting with systems in human-like ways. The breach of thousands of identities per organization is facilitated by the decentralized nature of business apps and platforms. OpenAI's Operator, a new "Computer-Using Agent", demonstrates the potential to significantly scale credential stuffing attacks without requiring custom coding. While it's still early, the emergence of such technologies suggests a looming increase in systemic breaches, requiring organizations to prioritize the defense of their identity attack surfaces.

Trinity College Dublin's Professor Doug Leith conducted research indicating that Android devices transmit user data to Google without explicit consent. Android users are tracked via pre-installed apps like Google Play Services, with identifiers such as the DSID advertising cookie being used without user authorization. The DSID cookie, designed for personalized advertising, is linked with user accounts and lacks an opt-out feature, raising consent issues. Another permanent tracker, the Google Android ID, is associated with the user's Google account and continues sending data even after log-out, only removable through a factory reset. Leith’s findings suggest potential violations of European privacy laws, given these practices occur without user consent and include personally identifiable information. Google declined to discuss legal aspects when approached by Leith but disagreed with his legal analysis; however, it emphasized its commitment to user privacy and compliance with privacy regulations. The introduction of Android System SafetyCore, which scans photos for explicit content without option for disabling, has also been criticized for non-consensual data handling practices.

Suspected Iranian hackers targeted fewer than five entities within the UAE's aviation and satellite communications sectors using a sophisticated phishing campaign. The attackers utilized a compromised email account from INDIC Electronics, a trusted Indian electronics firm, to send malicious emails. The phishing emails contained a link to a counterfeit domain that hosted a ZIP file filled with misleading documents designed to install a novel Golang-based backdoor named Sosano. The campaign employed complex obfuscation techniques including polyglot files, which appear legitimate but perform malicious activities upon execution. Proofpoint’s analysis suggests that the campaign, labeled UNK_CraftyCamel, does not match the known tactics of other threat actors, indicating a possibly new adversary possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC). This highly targeted attack demonstrates the use of strategic web compromises and trusted third-party relationships to breach high-value targets effectively. The operation reflects broader geopolitical motives, aiming at gathering intelligence crucial for economic stability and national security.

Over 4,000 ISP networks in China and the U.S. West Coast targeted in a major cyberattack campaign exploiting information stealers and cryptocurrency miners. The Splunk Threat Research Team identified the campaign involving minimal operations to avoid detection, using scripting tools like Python and PowerShell. Attackers utilized brute-force methods to exploit weak credentials, primarily from Eastern Europe-sourced IP addresses. Compromised systems underwent a preparatory phase disabling security features and stopping cryptominer detection services. Implements deployed included screen capture tools, clipboard content theft for cryptocurrency addresses, and communication back to a C2 server via Telegram. Additional malware payloads enabled further network scanning, data theft, and the mining of cryptocurrencies like XMRig. Specific tools like Masscan were used to scan large networks and facilitate further brute-force credential attacks on ISPs.

High-profile deepfake scams have experienced a sharp increase, with a reported 300 percent surge in face swap attacks in real-time video calls. Cybercriminals are utilizing sophisticated AI deepfake technology to bypass facial-recognition-based identity verification systems in online meetings. iProov's annual threat intelligence report reveals a significant rise in injection attacks and the use of virtual camera software to perpetrate identity spoofing. The report outlines over 100,000 potential attack combinations, reflecting a complex ecosystem of tools and methods used to commit these crimes. Online markets have expanded the availability of deepfake technology tools, making them accessible to a broader range of criminal elements. Despite the complex nature of deepfake technology, it is being used more frequently due to its high potential for significant financial damage in cyber scams. iProov highlights the importance of integrating multiple defensive layers into organizational security strategies, as traditional frameworks may no longer be effective alone. Public awareness remains low with a study showing that only a tiny fraction of people can accurately detect deepfakes, underlining the need for enhanced user training.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about active exploitations targeting software flaws in products from Cisco, Hitachi Vantara, Microsoft, and Progress. Five security vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog, prompting urgent mitigation actions. Sekoia, a French cybersecurity firm, reported that CVE-2023-20118 is being used to incorporate routers into the PolarEdge botnet. The Shadowserver Foundation has observed activities exploiting CVE-2024-4885, with attacks detected as recently as August 1, 2024. Analysis from GreyNoise identifies exploitation attempts from multiple countries including Hong Kong, Russia, Brazil, South Korea, and the United Kingdom. Federal Civilian Executive Branch agencies are directed to implement necessary security measures by March 24, 2025, to protect against these threats.

Google's March 2025 Android Security Bulletin addresses 44 vulnerabilities, including two under active exploitation. The vulnerabilities, CVE-2024-43093 and CVE-2024-50302, are high-severity issues with the latter part of a zero-day exploit chain used by Cellebrite. CVE-2024-43093 had been previously reported and was actively exploited as noted in Google's November 2024 security advisory. CVE-2024-50302 was exploited alongside two other Linux kernel vulnerabilities to install NoviSpy spyware on a Serbian activist's phone. The vulnerabilities were patched in updates last year, with the most recent patches included in March 2025 releases. Google has provided two patch levels, 2025-03-01 and 2025-03-05, to enable faster mitigation across Android devices. Google has acknowledged that both vulnerabilities experienced "limited, targeted exploitation."

Open banking has transformed financial services in Asia-Pacific, improving customer personalization and financial inclusion. The expansion of API networks in open banking enhances risks of cyberattacks due to sensitive data exposure and interaction with numerous third-party providers. Common API vulnerabilities include broken authorization, weak authentication, injection attacks, and excessive data exposure. Significant breaches have occurred, such as unauthorized access to an Indian fintech customer data and SQL injection impacting a Singaporean bank. Financial institutions are advised to adopt comprehensive API management, enforce multi-factor authentication, and implement zero-trust architectures. Ensuring third-party security and continuous monitoring are critical due to the interconnected nature of modern API ecosystems. By prioritizing robust API security measures, financial institutions can mitigate risks and leverage open banking opportunities efficiently.

Reports of a pause in offensive cyber operations against Russia by the U.S. Cyber Command raise questions about the U.S. stance towards Russian cyber activities. Despite the Pentagon's pause, CISA insists on a consistent posture toward defending U.S. critical infrastructure from all threats, including Russia. The contrast between the Pentagon's apparent de-prioritization and CISA's continued vigilance creates confusion regarding the actual U.S. policy towards Russian cyber threats. Internal communication within CISA and recent actions by Trump's administration suggest a possible softening of the U.S. approach to Russia, impacting global perception and cybersecurity alliances. Personnel reductions at CISA and mixed political signals could weaken U.S. capabilities and focus on countering Russian cyber operations. Some analysts fear that less attention to Russian cyber threats could lead to increased global cyber vulnerability and potential risks to U.S. national security. The repositioning on Russia comes amidst broader shake-ups in U.S. foreign policy, affecting traditional alliances and international stability.