Daily Brief

The UK and Swedish governments are seeking backdoors into end-to-end encryption, prompting backlash from firms like Apple and Signal. Signal has threatened to exit the Swedish market should the government enforce laws that compromise encryption integrity. The UK government has attempted to keep these backdoor demands secretive, hoping to avoid public scrutiny and backlash. Criminals and tech-savvy users can easily circumvent weakened encryption by using alternative services or deploying local encryption methods. Open source software presents a solution by allowing users to inspect and modify code, ensuring transparency and security. Proton Mail serves as an example of effective, user-side encrypted communication that maintains user privacy through open-source practices. Any encrypted system with backdoors fundamentally compromises the security offered, putting primarily non-criminal users at risk. Open-source frameworks are suggested as unassailable solutions, resistant to government tampering while promoting a secure, transparent digital environment.

The Vo1d botnet has successfully infected approximately 1.59 million Android TV devices across 226 countries, with peak activity recorded on January 19, 2025. Majorly affected countries include Brazil, South Africa, Indonesia, Argentina, and Thailand, with a significant spike in infections noted in India by February 2025. Vo1d malware exhibits advanced features for evasion and persistence, including RSA encryption for secure communication and unique encrypted payloads, making its detection and analysis challenging. Security researchers suspect compromise methods may involve supply chain attacks or exploitation of devices running unofficial firmware with root access. The malware's operation scale suggests the creation of a proxy network geared towards ad fraud, and is further implicated in a rental model where botnet infrastructure is temporarily leased out. Updated versions of Vo1d have introduced sophisticated network communication enhancements, including a Redirector C2 mechanism for disguising the real command and control server. The infected devices are used to deploy additional malware, like Mzmess, which functions with four plugins, suggesting a potential service rental to other criminal groups. Vo1d not only enables profit through fraudulent activities but also poses a threat for more severe attacks, including potential DDoS engagements and unauthorized content distribution.

US Defense Secretary Pete Hegseth has ordered a pause on US Cyber Command's offensive cyber operations targeting Russia. The pause is reportedly part of a broader strategy to bring Russia to the negotiating table over its actions in Ukraine. Amidst these reports, the Cybersecurity and Infrastructure Security Agency (CISA) maintains that its defensive posture against threats, including those from Russia, remains unchanged. This decision to pause operations does not change the ongoing threat posed by Russian cyber activities, which have historically included sophisticated attacks against US targets. Reports speculate that the pause is intended to redirect focus towards increasing threats from China, aligning with broader foreign policy goals of the Trump administration. Despite the halt, there is no indication that Russia is offering similar concessions, continuing its aggressive cyber operations without restraint.

Bjarne Stroustrup, the inventor of C++, has called on the C++ community to defend the language against criticisms regarding its memory safety issues. Stroustrup highlighted the need for urgent action in response to significant critiques from cybersecurity agencies and tech experts, advocating for the adoption of the Profiles memory safety framework. Various alternative memory safety solutions like TrapC, FilC, Mini-C, and Safe C++ have been proposed within the C/C++ community, reflecting ongoing efforts to address these vulnerabilities. Government agencies such as the US CISA have recommended phasing out memory-unsafe languages like C and C++ by 2026 unless a clear memory safety roadmap is established. Critics and proponents within the community are divided on the feasibility and timing of implementing these memory safety measures, with some arguing that major changes won't be standardized or ready by 2026. Alternatives like the DARPA TRACTOR project for automated C-to-Rust conversion and the TrapC compiler project represent different approaches to solving memory safety issues in legacy C/C++ codebases. Debates continue about the effectiveness of language-level solutions versus hardware-based approaches in addressing memory safety, with broader implications for interoperability and legacy code management.

Nearly 12,000 API keys and passwords were found in the Common Crawl AI training dataset. The dataset, maintained by a non-profit, includes web data since 2008 used by numerous AI projects. Truffle Security identified over 11,908 valid secrets in the dataset's December 2024 archive, across various services like AWS and MailChimp. Despite data cleaning processes, sensitive information such as API keys remains in the dataset used for training large language models. High reuse of secrets noted, with a single WalkScore API key appearing over 57,000 times across multiple domains. Leaked secrets pose risks such as unauthorized data access, phishing, and brand impersonation. Truffle Security has collaborated with affected vendors to revoke and rotate the exposed keys, highlighting continuous security risks in AI model training using historical data.

Microsoft detected flaws in Paragon Partition Manager's BioNTdrv.sys driver, with one being exploited by ransomware gangs for zero-day attacks to gain SYSTEM privileges on Windows. The vulnerability allows attackers to execute a 'Bring Your Own Vulnerable Driver' (BYOVD) technique, enabling privilege escalation even if the Paragon software is not installed on the system. The exploited flaw, CVE-2025-0289, allows ransomware groups to escalate privileges to SYSTEM level and execute further malicious activities. This vulnerability has been addressed in the latest software update from Paragon, and Microsoft has added the vulnerable driver versions to its Vulnerable Driver Blocklist to prevent further exploitation. It's advised for users and organizations to ensure that Microsoft's Vulnerable Driver Blocklist is actively blocking the outdated drivers by checking the settings in Windows Security. The exploitation of such vulnerabilities highlights the need for continuous monitoring and updating of security measures against evolving ransomware tactics like BYOVD attacks.

Mozilla quickly revised its Terms of Use following user backlash over language that granted extensive rights over uploaded data. The initial terms implied broad granting of licenses to Mozilla for all user inputted data, raising privacy and ownership concerns. Following criticism, Mozilla clarified that it doesn't claim ownership but requires data rights necessary to operate the Firefox browser. Mozilla's VP of Product, Ajit Varma, emphasized that the intent was clarity on Firefox's functionality, not to infringe on user rights. The organization reassured that it neither buys nor sells user data, and changes were largely due to varying legal interpretations of "selling" data. Mozilla admitted to sharing anonymized or aggregated data with partners, primarily to sustain financial viability through ads and sponsored suggestions. The revised terms now align more with user expectations and legal requirements regarding data handling and privacy. This update follows broader industry scrutiny and regulatory concerns regarding data privacy, highlighted by recent actions against Google by the U.K. Information Commissioner's Office.

In 2021, hackers targeted Uranium Finance, a decentralized finance protocol on the Binance Smart Chain, exploiting vulnerabilities that led to significant asset losses. The attacks resulted in the theft of over $53.7 million through two separate incidents leveraging smart contract flaws. TRM Labs assisted the Southern District of New York and Homeland Security Investigations in tracing the stolen cryptocurrency across multiple blockchain systems. Advanced tracking and analysis revealed laundering patterns including Tornado Cash transactions and cross-chain swaps. By February 2025, U.S. authorities successfully recovered $31 million of the stolen funds. The recovery operation stands as one of the most significant asset recoveries in recent cybercrime history. Victims of the Uranium Finance hack have been asked to contact the U.S. SDNY to claim portions of the recovered funds.

Fresh research by GreyNoise indicates that 28% of vulnerabilities in CISA's Known Exploited Vulnerability (KEV) catalog were used by ransomware criminals in 2024. KEV catalog is intended to aid US public sector patching strategies but inadvertently assists ransomware attackers by highlighting exploitable vulnerabilities. Despite immediate updates by CISA, some vulnerabilities like the remote code execution issue in Cleo Harmony and critical command execution in Progress's Kemp LoadMaster were exploited before being cataloged. GreyNoise report highlights persistent threats from older vulnerabilities, some decades old, exploited by attackers for DDoS attacks and cryptocurrency mining. Ivanti, D-Link, and VMware were criticized for poor security practices, with calls for customers to consider alternatives due to inadequate vulnerability management and patching approaches. Broad usage of known vulnerabilities in widespread devices and systems underlines an urgent need for comprehensive security improvements and proactive threat monitoring. The report advocates for immediate action to address both legacy and newly discovered vulnerabilities given the innovative ways attackers monetize these exploits.

Qilin ransomware gang claimed responsibility for a cyberattack on Lee Enterprises on February 3, 2025, causing significant disruptions. The attack led to the loss of access to internal systems, cloud storage, and failure of corporate VPN functionalities. Lee Enterprises, which manages numerous daily newspapers and digital platforms, reported encryption of critical apps and unauthorized data extraction. The ransomware group has threatened to publish all stolen data, approximately 350GB, unless a ransom is paid by March 5, 2025. Samples of the stolen data including government IDs and financial documents were posted on Qilin's dark web extortion site. BleepingComputer reached out to Lee Enterprises for confirmation on the origin of the data exposed, but no immediate response was provided. Microsoft reported last year that members of the 'Scattered Spider' hacker collective have started utilizing Qilin ransomware in their cyberattacks. Qilin has evolved technically over the years, recently introducing a Linux variant and a Rust-based data locker for more secure and evasive operations.

Law enforcement from 19 countries arrested 25 suspects involved in distributing AI-generated child sexual abuse material (CSAM). The arrests were part of Operation Cumberland, led by Danish law enforcement with Europol’s support. Authorities seized 173 electronic devices and identified 273 suspected network members. The crackdown followed the arrest of the network's main suspect, a Danish national, in November 2024. Users accessed the illegal content through a password-protected online platform after making a symbolic payment. Europol’s Executive Director emphasized the challenges in combating the increase of AI-generated CSAM. Europol has been running the Stop Child Abuse – Trace An Object initiative since 2017 to identify CSAM victims and perpetrators. An upcoming Europol online campaign aims to target potential offenders and raise awareness about the misuse of AI for creating illegal content.

Amnesty International reported that a Serbian activist's Android phone was unlocked using a zero-day exploit developed by Cellebrite. The exploit targeted Android USB drivers through a sophisticated chain involving three CVEs, culminating in CVE-2024-53104, a privilege escalation flaw with a CVSS score of 7.8. Although the Linux kernel has patched the flaws, they have not yet been incorporated into the Android Security Bulletin. The exploit allowed users with physical access to bypass Android lock screens and gain privileged access. The activist, identified as "Vedran", had his phone confiscated by police during a student protest in Belgrade, and an unknown app, consistent with prior spyware tactics, was attempted to be installed. Cellebrite, following the misuse of its tools, announced a halt on its software's usage by Serbia and reiterated that its technologies are not intended for offensive purposes.

Serbian authorities reportedly utilized an Android zero-day exploit developed by Cellebrite to unlock a student activist's smartphone and attempt spyware installation. Amnesty International's Security Lab uncovered the exploit during forensic analysis, linking the usage to privacy rights violations in Serbia. Following the exposé, Cellebrite restricted the Serbian security services' access to its tools. Google identified three exploited vulnerabilities in Android's Linux kernel USB drivers; one has been patched, while two remain open. The vulnerabilities were under "limited, targeted exploitation," indicating a focused use of these flaws against specific targets. Google and other Android distributors are working on patches, with some Android distributions like GrapheneOS already securing their systems against some vulnerabilities. Physical access to devices is necessary for such USB exploits, highlighting the risk during device confiscation by law enforcement.

Remote Desktop Protocol (RDP) developed by Microsoft allows remote access and control over networks, essential for modern business operations. Over 50% of small and medium-sized businesses and Managed Service Providers use RDP due to its efficiency, despite its vulnerabilities. Recent trends show hackers scanning less monitored port 1098, looking to exploit RDP systems, significantly increasing cybersecurity risks. Microsoft regularly updates to fix vulnerabilities, with recent patches in December 2024 and January 2025 addressing major security gaps. Discoveries in network pentests reveal many instances of RDP misconfigurations, exposing systems to potential cyber threats. Proactive security measures like Datto Endpoint Detection and Response (EDR) and vPenTest are recommended to protect against RDP-related attacks. Businesses are advised to stay vigilant with patches, limit access, use multi-factor authentication, and employ advanced security solutions to mitigate risks. Despite its advantages, the need for improved security measures around RDP is critical to prevent data breaches and malware attacks.

Cybersecurity experts have uncovered a phishing campaign using fake CAPTCHA images in PDFs to deploy Lumma Stealer malware. Over 260 unique domains and 5,000 phishing PDFs have been involved, affecting upwards of 1,150 organizations and 7,000 individuals globally. This particular phishing operation mainly targets sectors like technology, financial services, and manufacturing in regions including North America, Asia, and Southern Europe. The fraudulent PDFs are distributed via reputable platforms like Webflow’s CDN and are also uploaded on legitimate PDF libraries to mislead victims through manipulated search engine results. Victims are deceived into executing harmful PowerShell commands by interacting with the counterfeit CAPTCHA images contained within the PDFs. Recent adaptations of the campaign show diversification in delivery methods, including masquerading Lumma Stealer in game downloads and software cracks. The malicious operators have integrated advanced features into Lumma Stealer by pairing it with a proxy malware named GhostSocks, enhancing its utility for bypassing security measures. The escalation of this phishing method uses sophisticated obfuscation techniques involving hidden Unicode characters to evade detection.