Daily Brief

CISA included two new vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, targeting Microsoft Partner Center and Synacor Zimbra Collaboration Suite. The inclusion is based on confirmed instances of active exploitation of these security flaws. Microsoft's vulnerability, identified as CVE-2024-49035, was acknowledged last year as being exploited, with no further details on its use in attacks provided. No reports of in-the-wild abuse for the CVE-2023-34192 associated with Zimbra have surfaced to date. Federal Civilian Executive Branch (FCEB) agencies are required to implement necessary security updates by March 18, 2025, to protect their networks. This update to the KEV catalog follows closely after the addition of vulnerabilities in Adobe ColdFusion and Oracle Agile PLM due to similar exploitation threats.

Troy Edgar, nominee for deputy director of the Dept of Homeland Security, criticized the current direction of CISA, advocating for tighter management. Edgar supported the Trump administration's decision to dissolve the Cyber Safety Review Board (CSRB) during reorganization to refocus CISA’s efforts. CISA previously extended its functions into election interference investigations, which Edgar indicated was overstepping its intended role. The agency, currently without a permanent leader following Jen Easterly's resignation, faces uncertainty about its future leadership and direction. Edgar’s appointment is pending a Congressional vote, where he is anticipated to be confirmed. In related developments, Apple investigates a speech recognition glitch, and a new head of the DOGE initiative, emphasizing governmental efficiency, has been announced.

DISA Global Solutions reported a security breach affecting over 3.3 million people, disclosing the incident a year after it occurred. The breach, identified in April 2024, initially occurred in February 2024; the company took measures to secure the deleted data. Compromised information includes names, social security numbers, driver’s licenses, and sensitive data such as drug testing results. DISA has not clarified whether ransomware was involved or if a ransom was paid following the breach. The delay in detecting and reporting the breach provides criminals ample time to potentially misuse the stolen personal data. Affected individuals, mainly interacting through potential employers, might be unaware that their data was compromised. The breach could lead to potential extortion attempts, exploiting sensitive information, such as drug test results and background checks. The incident underscores the significant risks and impacts of attacks on data brokers and information service providers.

Have I Been Pwned (HIBP) has incorporated over 284 million accounts stolen by infostealer malware into its database. These accounts were discovered in 1.5TB of stealer logs on a Telegram channel called “ALIEN TXTBASE,” containing data from potentially multiple breaches or credential stuffing attacks. The compromised data includes 493 million unique website and email address pairs, affecting 284 million unique email addresses. HIBP founder Troy Hunt verified the authenticity of these accounts and added them to the database after successfully using the email addresses to trigger password reset emails. Alongside the stolen account data, HIBP has also added 244 million previously unseen passwords to its Pwned Passwords service and updated counts for 199 million already existing records. New APIs have been introduced allowing domain owners and website operators to search the stealer logs by email or website domain, helping to identify and protect customers whose credentials were compromised. Regular users subscribed to HIBP notifications can check if their accounts appear in the compromised logs, although detailed site exposure information is only available through these notifications to protect sensitive user data. HIBP continues to bolster its database with prior additions, including accounts from Zacks Investment and users affected by the RedLine malware infostealing campaign.

Chinese spies infiltrated the US Republican National Committee's Microsoft-powered email system, accessing it for several months. The security breach was discovered and disclosed to GOP leaders by Microsoft in early July 2024, just before the Republican National Convention. The breach is highlighted in an upcoming book by Alex Isenstadt, which claims the intrusion was focused on gathering intelligence on the GOP's stance regarding Taiwan. Concerns were raised about Chinese sleeper-cell malware potentially present in the US critical infrastructure, possibly to be activated in response to future geopolitical tensions. The breach's discovery coincided closely with an assassination attempt against former President Trump, although GOP officials opted not to inform the FBI to avoid media leaks. Iranian agents also compromised Republican email accounts, leaking sensitive documents to the press. The breach could be connected to broader Chinese cyber activities, including the wide-reaching "Salt Typhoon" intrusions into US government and telecommunications networks. The FBI and other involved parties have not provided comments; further information from the RNC and Microsoft is pending.

A severe remote code execution (RCE) bug, CVE-2025-27364, was identified in all versions of the MITRE Caldera security training platform, barring the latest updates. The vulnerability scores a 10-out-of-10 in severity and affects Caldera installations from its initial 2017 release to recent versions before 5.1.0. Successful exploitation requires the presence of Go, Python, and the GNU Compiler Collection (GCC) on the target, which are essential for Caldera’s full functionality. The RCE can be triggered in most default configurations by sending a specifically crafted HTTPS request to deploy reverse shell agents. Caldera is used by cybersecurity teams to simulate attacks and test defenses, making this vulnerability particularly alarming given its potential abuse for unauthorized system control. Additional findings revealed privilege-escalation flaws in Parallels Desktop for Mac, highlighting ongoing patching challenges and vulnerabilities within popular software. The researcher who discovered the flaw provided mitigation advice, suggesting immediate patch application or limiting internet exposure for vulnerable systems.

Mozilla has reiterated its commitment to supporting Manifest V2 (MV2) extensions alongside the new Manifest V3 (MV3), ensuring continued user freedom in extension choice. Manifest V3, developed by Google, aims to enhance security by limiting permissions that can compromise safety but restricts the effectiveness of some extensions such as ad-blockers. The enforcement of MV3 has led to the deactivation of extensions, including popular ad blockers like uBlock Origin, which have not transitioned to the new specification. Unlike Chrome, which is phasing out MV2, Firefox plans to continue supporting MV2 to allow older extensions to function, catering to users prioritizing extensive functionality over potential risks. Firefox's decision is in line with its commitment to "Principle 5" of its manifesto, which emphasizes the importance of individual control over internet experiences. While other browsers like Microsoft Edge and Apple Safari have adopted MV3, they have incorporated modifications allowing more user flexibility compared to Google's implementation. Mozilla has not specified an end date for MV2 support, indicating a long-term commitment to support extensions that enhance user privacy and security.

Malware campaign called GitVenom uses GitHub to distribute info-stealers, RATs, and clipboard hijackers. Targets primarily focus on users in Russia, Brazil, and Turkey, exploiting hundreds of fake GitHub repositories. Malicious GitHub projects include fake software tools like Instagram automation tools, Bitcoin wallet managers, and hacking utilities for games. These repositories appear credible by using well-crafted Readme files, possibly AI-generated, and inflated commit histories. Kaspersky identifies various programming languages used in the campaign, such as Python, JavaScript, C, C++, and C#, to avoid detection. Once executed, the injected code downloads further malicious payloads hosted on GitHub. In one instance, attackers gained 5 BTC, worth approximately $500,000, showcasing significant financial impact. Recommendations for safety include thorough vetting of GitHub projects, using antivirus programs, and isolating execution environments to prevent malware infection.

A new Linux backdoor named 'Auto-Color' targeted North American and Asian universities and government organizations from November to December 2024. The malware, discovered by Palo Alto Networks' Unit 42, is difficult to detect and remove, maintaining persistent access to infected systems. Auto-Color employs evasive techniques including disguising itself under benign filenames and using a malicious library to ensure it executes before other system libraries. The backdoor can operate on systems without root privileges providing remote access, but its persistence is limited under these conditions. Auto-Color uses custom encryption to obfuscate command and control (C2) server communications and employs rootkit-like features to hide its network activity. The malware includes a "kill switch" that allows attackers to rapidly erase traces of the infection, complicating forensic analysis. Unit 42 recommends monitoring key system files and employing behavior-based detection solutions to identify and mitigate threats posed by Auto-Color. Indicators of Compromise (IoCs) related to Auto-Color have been listed to aid in the detection and analysis of potential infections in affected systems.

DISA Global Solutions, a prominent US-based drug testing and background screening firm, reported a data breach impacting 3.3 million individuals. The cybersecurity incident spanned from February 9, 2024, to April 22, 2024, with the breach discovered on the final day. Breached data includes personally identifiable information, employment histories, and possibly medical and health-related data, but specific details of the exposed data types were not fully disclosed. Despite no evidence of data misuse or dissemination, DISA has engaged measures to prevent the public release of the information by interacting with the threat actor. Affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services. Impacted parties include employees and applicants of companies using DISA's services, potentially affecting major corporations, including some Fortune 500 companies. DISA implemented additional security measures to enhance data protection and mitigate future risks.

DISA Global Solutions disclosed a data breach impacting 3.3 million individuals. The breach occurred between February 9, 2024, and April 22, 2024, with the company detecting the incident on the latter date. Sensitive data potentially accessed includes personally identifiable information, employment history, and medical data. DISA serves over 55,000 clients, including 30% of Fortune 500 companies, highlighting significant national implications. The company offered 12 months of free credit monitoring and identity theft protection to affected individuals. It is unclear what specific data elements were accessed, and DISA initially paid a ransom to prevent data leakage. Authority and public notifications were made as per regulation, with ongoing recommendations for affected individuals to enhance personal security measures.

LightSpy spyware has been updated to include a wide array of data collection features targeting Windows, macOS, Linux, Android, and iOS devices, with enhanced control over infected systems. Originally identified in 2020 focusing on Hong Kong users, LightSpy now supports over 100 commands across multiple platforms, shifting from direct data extraction to broader operational control. The update includes destructive capabilities for Android, preventing device boot-up, but similar destructive capabilities have been removed from iOS versions. LightSpy now targets Facebook and Instagram databases on Android for extracting user conversations, contacts, and metadata, expanding the scope of personal data extraction. The spyware features 28 plugins—including 15 Windows-specific ones—aimed at various espionage activities such as keylogging, audio recording, and USB interactions. Enhanced command capabilities allow threat actors to manage spyware deployment more effectively and adapt to different environments or user activities. Removal from Google Play Store of an unrelated Android app used for predatory lending in India, underscoring a trend of exploiting mobile platforms for financial fraud.

Belarus-aligned threat actor Ghostwriter has launched a new malware campaign targeting Ukrainian military and government bodies using malicious Excel documents. The campaign utilizes macro-obfuscated Excel sheets to deploy a variant of PicassoLoader malware, actively exploiting opposition activists in Belarus as well. The operation has been active since mid-2024, with initial lures shared via Google Drive and designed to execute upon enabling Excel macros. Post initial infection, the malware displays a decoy document while secretly downloading additional payloads, including the Cobalt Strike suite used for further exploitation. SentinelOne’s analysis identified tactics such as steganography for concealing second-stage malware downloads within seemingly innocuous image files. The continuous use of obfuscated .NET downloaders and VBA macros throughout 2024 signifies a sustained and sophisticated espionage effort against Ukraine. Despite Belarus not being militarily active in the Ukraine conflict, its cyber actors continue to conduct espionage operations, highlighting the cyber dimension of geopolitical tensions.

Christopher Hadnagy, founder of Social-Engineer LLC and DEF CON veteran, has been accused of harassment by multiple individuals. Claims of unprofessional behavior include inappropriate comments on appearances, anger outbursts, and humiliation of employees, which surfaced from a court filing motion. Following these revelations, Hadnagy was barred from DEF CON in 2022, sparking a lawsuit against DEF CON and its founder Jeff Moss, wherein Hadnagy alleges defamation and seeks over $50,000 in damages. The court dismissed most of Hadnagy's claims, but the defamation claim remains under consideration, with recent court motions providing extensive details of the alleged inappropriate behaviors. Accusations include prompting questionable workplace exercises, exhibiting aggressive behaviors, and making several female employees uncomfortable. Maxie Reynolds, a prominent accuser, alleges a negative campaign by Hadnagy against her, including attempts to undermine her published work and tarnishing her professional reputation. If this latest motion fails to dismiss Hadnagy’s remaining claims, DEF CON's legal representatives are prepared to proceed to trial, as confirmed via social media by Jeff Moss.

Veeam is shifting its focus from traditional backup solutions to emphasize data resilience and data portability, reflecting changes in enterprise needs and threats. Data resilience now includes preparedness for cyberattacks, with Veeam enhancing systems to handle disasters like ransomware which specifically targets backups for encryption. Broad commercial changes, such as those from VMware's owner Broadcom, are forcing enterprises to reconsider their infrastructure choices, driving the need for a more versatile backup solution. Veeam supports extensive cross-platform compatibility, backing up data across a variety of systems including different cloud services and virtual environments to ensure business continuity. The company integrates advanced cybersecurity features, including immutability of backups and SIEM (Security Information and Event Management) integrations, to actively combat threats during the backup process. Veeam's SureBackup feature tests backup integrity by simulating virtual machines, ensuring that data can be reliably restored even after being compromised in a cyberattack. The approach includes compliance tools and policy-driven automation to align with regulatory requirements and facilitate audits, ensuring enterprises meet legal data protection standards. Industry experts like Rick Vanover from Veeam stress the importance of comprehensive preparation and risk management in data resilience, highlighting technical and commercial considerations when shifting to cloud-based solutions.