Daily Brief

Rubrik, a cybersecurity firm, had one of its log file servers breached, disclosing sensitive access information. In response, Rubrik rotated the authentication keys as a precaution, despite no evidence of misuse. The breach was confirmed not to be a ransomware attack, and there was no communication from the attackers. An external forensic team helped verify that the breach was confined to a single server and didn't affect customer data or internal code. Previously, Rubrik was implicated in a broader data theft involving the Fortra GoAnywhere attacks by the Clop ransomware gang. Rubrik serves a substantial customer base, including major corporations and institutions such as AMD, PepsiCo, and Harvard University.

DHS refutes claims that CISA has ceased monitoring Russian cyber activity, affirming no change in its mission to protect U.S. critical infrastructure. Media reports suggesting a redirection of focus solely towards China and a neglect of Russian cyber threats were labeled as untrue by DHS officials. CISA's responsibilities include safeguarding election infrastructure and mitigating risks from foreign cyber threats through intelligence sharing and coordination. Tricia McLaughlin of DHS criticized the Guardian's report as baseless, highlighting the nonexistence of the alleged memo instructing CISA to ignore Russian cyber activities. Defense Secretary Pete Hegseth reportedly ordered a temporary stand-down on offensive cyber operations against Russia during ongoing diplomatic negotiations related to Ukraine. DHS and CISA emphasize ongoing commitment to addressing cybersecurity threats from all nation states, including Russia, maintaining a proactive defensive posture.

CISA has issued warnings about vulnerabilities in Cisco and Windows systems currently being exploited. Active exploitation includes CVE-2023-20118 in Cisco VPN routers, allowing execution of arbitrary commands with proper credentials. The CVE-2023-20025 flaw in Cisco provides an authentication bypass, potentially used in tandem with other vulnerabilities. Windows is affected by CVE-2018-8639, an elevation of privilege vulnerability allowing attackers to run arbitrary code in kernel mode. CISA has added these vulnerabilities to the Known Exploited Vulnerabilities catalog, requiring federal agencies to respond swiftly. Agencies within the Federal Civilian Executive Branch must secure their networks by March 23 to comply with CISA directives. Both Microsoft and Cisco have been previously notified, with a lack of updated advisories post-CISA's announcement of these exploits.

A new phishing campaign called ClickFix leverages Microsoft SharePoint to spread Havoc, a post-exploitation control framework. ClickFix utilizes social engineering to trick users into executing malicious PowerShell commands through fake error messages and solution prompts. Users are deceived by phishing emails containing an attachment that falsely claims to be a “restricted notice” needing urgent review. The malicious script checks for a sandbox environment; if absent, it manipulates the Windows Registry and installs Python to execute further payloads. The Havoc framework is then deployed using a Python script, facilitating remote access and control over the compromised device. This campaign cleverly disguises its malicious communications with Microsoft's Graph API, blending with legitimate traffic to avoid detection. The growing popularity of the ClickFix technique has seen its use in distributing various types of malware via different platforms, including social media.

Threat actors exploited AWS misconfigurations to conduct phishing attacks, leveraging services like SES and WorkMail for malicious emails. The group known as JavaGhost (also tracked as TGR-UNK-0011) has shifted focus from website defacing to phishing for financial benefits. These cybercriminals gain access by exploiting exposed AWS access keys, then use Amazon’s own services to bypass typical email protections. Enhanced tactics observed include advanced defense evasion in AWS, such as obfuscating activities in CloudTrail logs. The attackers generate temporary credentials to maintain access and visibility within compromised AWS accounts. JavaGhost sets up new IAM users and roles, some of which serve as persistence mechanisms within the victim's environment. The campaign involves creating EC2 security groups named "Java_Ghost" as a signature, although these do not engage with any AWS resources. No direct vulnerability within AWS is exploited; instead, the security gaps stem from poor configuration and management by AWS users.

The UK Information Commissioner's Office (ICO) is currently investigating TikTok, Reddit, and Imgur due to concerns over the handling of children's data. Inquiry focuses on TikTok's recommendation algorithms potentially directing inappropriate content to children's feeds and assessments of Imgur and Reddit's methods for determining user ages. Previous penalties include a £12.7 million fine imposed on TikTok in April 2023 for violations including handling data of children under 13 without parental consent. The ICO's ongoing reviews aim to ensure compliance with data protection laws and safeguard children's privacy in digital services operated within the UK. ICO Commissioner John Edwards emphasized the legal responsibilities of social media and video-sharing platforms to protect young users, underscoring the ICO’s role in enforcing these standards. A recent study highlights that over 42% of British parents feel they lack adequate control over the personal data these platforms collect on their children.

The cybersecurity job market is experiencing shifts from a shortage to potential oversupply, affecting job availability and hiring dynamics. Artificial Intelligence (AI) in HR is impacting the recruitment process, often unfavorably filtering out qualified candidates due to resume screening algorithms. The prevalence of ghost jobs on recruitment sites misleads applicants about the availability of real positions, influenced by companies' desires to appear thriving and competitive. Despite a plateau in hiring, specialized cybersecurity roles in oversight and governance remain in high demand, particularly in states like Florida, California, Texas, Virginia, Maryland, and New York. Industry certifications such as CompTIA Security+ and CISSP are increasingly necessary to pass initial HR screenings, though practical experience and formal education hold more weight in interviews. The employment landscape is complicated by companies betting on AI to fill generalist roles cheaply, despite ongoing challenges with AI's effectiveness and the strategic fit within organizations. Soft skills like problem-solving and analytical thinking are emphasized for entry-level roles, with businesses focusing on training these employees for specific cybersecurity tasks. Networking continues to play a critical role in landing cybersecurity jobs, underscoring the importance of professional connections in a tightening market.

Cybersecurity experts have unveiled a phishing scheme using the ClickFix method to deploy a PowerShell-based Havoc C2 framework via SharePoint. The malware delivery starts with a phishing email that includes an HTML attachment designed to trick victims into executing malicious commands. The attack sequence involves downloading a malicious PowerShell script from a controlled SharePoint site, which then checks for a sandbox environment. If no sandbox is detected, the script proceeds to install a Python interpreter and a shellcode loader called KaynLdr capable of executing embedded malicious DLLs. Fortinet highlighted the use of Microsoft Graph API by attackers to hide command-and-control communications within commonly trusted services. The Havoc framework utilized in the attack offers functionalities for information gathering, file operations, and advanced credential attacks. Concurrently, an unrelated threat vector was reported by Malwarebytes involving the exploitation of Google Ads loopholes for phishing attempts targeting PayPal users.

The U.K.'s Information Commissioner's Office (ICO) is investigating TikTok, Reddit, and Imgur for their data protection practices concerning children aged 13 to 17. The investigation focuses on how these platforms utilize the personal data of minors to tailor and recommend content, raising concerns about exposure to inappropriate material. Specific attention is given to each platform's method of assessing user age and customizing content to safeguard young users' privacy and well-being. The ICO aims to determine if these services have violated data protection laws and plans to communicate any findings with the companies for their response. The enforcement emerges following the implementation of the Children’s code in September 2021, mandating online services to meet specific standards in handling children's data. Actions have already been taken by other platforms, such as X (formerly Twitter) and Viber, including halting targeted advertising and disabling geolocation sharing for users under 18.

Hackers are exploiting a vulnerability in Paragon Partition Manager's driver, BioNTdrv.sys, to conduct ransomware attacks. Microsoft and CERT/CC identified five critical vulnerabilities in the driver, including privilege escalation and arbitrary code execution. These vulnerabilities enable attackers to perform a Bring Your Own Vulnerable Driver (BYOVD) attack, even on systems without the driver installed. Attack scenarios include elevating privileges, executing arbitrary code, or causing denial-of-service (DoS) conditions. The addressed vulnerabilities are specifically in the versions 1.3.0 and 1.5.1 of BioNTdrv.sys, with Paragon Software releasing a patched version 2.0.0. Microsoft has added the vulnerable versions of the driver to their driver blocklist to prevent further exploits. This disclosure follows a report by Check Point on a related large-scale malware campaign using a different vulnerable Windows driver to deploy Gh0st RAT malware.

Microsoft has finalized its EU Data Boundary initiative, aimed at allowing European customers to store and process data within the EU and EFTA regions. Despite the initiative, there is growing skepticism about relying on a U.S. company like Microsoft for cloud services, due to potential U.S. government access to data under regulations like the Cloud Act. European cloud experts and some competitors express concerns over real data sovereignty, distinguishing it from mere data residency which does not prevent U.S. legal access. The EU Data Boundary initiative includes additional investments by Microsoft, increasing infrastructure across Europe and enhancing control over where data is located. Alternatives like the Bleu joint venture are being developed to offer truly sovereign cloud services using European-operated infrastructures without dependency on U.S. companies. Critics argue that true data sovereignty requires that data be subject only to the jurisdiction where it is physically stored, a condition not fully satisfied by Microsoft’s current model. European cloud advocates emphasize the importance of choice and transparency for customers, advising against reliance on digital services impacted by extraterritorial legislation. The ongoing debate underscores the delicate balance between fostering a competitive cloud market and ensuring European digital autonomy and privacy standards.

The Polish Space Agency (POLSA) reported a cybersecurity incident on its social media and has disconnected its network to protect its data. POLSA is currently investigating the cyberattack with limited details released to the public. The attack may involve internal email compromise, and agency staff are now using phones for communication due to compromised systems. Poland’s digitalization minister confirmed the involvement of two state security teams, CSIRT NASK and CSIRT MON, to assist in managing the situation. The cyberattack has caused POLSA's website to go offline; updates are currently being issued through social media platforms. There is no current evidence to suggest that the attack involved ransomware, despite initial speculations. POLSA, part of the European Space Agency, plays a crucial role in Poland’s space technology development and international collaborations.

The UK’s Information Commissioner's Office (ICO) is investigating TikTok, Reddit, and Imgur for possible violations of child data privacy laws. These investigations focus on how the platforms use personal data of users aged 13 to 17 to generate recommendations and serve content, raising concerns about exposure to inappropriate material. The ICO is examining the effectiveness of age assurance measures and how children's personal information is handled on these platforms. Information Commissioner John Edwards emphasized that social media platforms must adhere to UK data protection laws if they operate within the country. There are growing worries about the amount of control parents have over the data collected about their children by social platforms. A survey conducted by the ICO showed that 42% of British parents feel they have little to no control over what information is gathered about their children. If evidence of legal breaches is found, the ICO plans to seek responses from the companies involved before making any final decisions. The investigation reflects wider concerns about the accessibility of social media to younger audiences and the potential risks involved.

A 23-year-old Serbian activist's Android phone was compromised using a sophisticated zero-day exploit chain. The exploit leveraged vulnerabilities within the Linux kernel to gain escalated privileges and execute malicious code. Cellebrite, the security software used in the exploit, has since barred its use in Serbia, citing misuse. Microsoft revealed emerging threats involving AI tools used for cyber pranks, highlighting a new landscape of digital threats. Ongoing updates to combat vulnerabilities in widely used software, including those identified in popular plugins and systems. Cybersecurity strategies now must also secure routine operations like clipboard usage against new forms of malware attacks. Regular system updates and vigilant cybersecurity practices are recommended to protect against evolving online threats.

Global ransomware incidents increased by 11% in 2024, reaching a total of 5,414 attacks, with significant activity spikes observed in the second and fourth quarters. Law enforcement disruptions have led to the fragmentation of established ransomware groups, resulting in a 40% increase in new groups, escalating from 68 in 2023 to 95 in 2024. RansomHub emerged as a dominant new group, conducting 531 attacks and implementing a Ransomware-as-a-Service model with strict affiliate agreements, primarily targeting entities outside of CIS nations. Fog ransomware, introduced in early 2024, aggressively targeted U.S. educational institutions by exploiting stolen VPN credentials and adopting a double-extortion tactic. Lynx ransomware continues to be active with more than 70 entities affected, strictly avoiding critical sectors like government and healthcare, employing a double-extortion method. Cyberint’s analysis indicated that despite a low payment rate of 11.2% among RansomHub’s victims, the group’s strategy focuses on the volume of attacks to drive profitability. Research suggests substantial overlaps in the tools and techniques used by these new groups with established ones, indicating shared origins or potential collaborations within the cybercrime ecosystem. Looking ahead into 2025, the rising number of new ransomware groups is expected to further enhance their capabilities and possibly dominate the cybercrime landscape.