Daily Brief

Chinese government-backed cyber group Silver Fox is using spoofed medical imaging software to hijack patient computers, inserting various malware forms. Researchers from Vedere Labs detected malware disguised as legitimate software like Philips DICOM viewers and EmEditor, with collections spanning from July 2024 to January 2025. The malware utilizes tools such as PowerShell to evade detection and operates under filenames meant to appear as healthcare applications, signaling an expansion of target regions beyond China. This cyberattack deploys ValleyRAT, a sophisticated backdoor that allows remote access, along with new additions to Silver Fox's arsenal like keyloggers and cryptocurrency miners. Initial infection tactics may include SEO poisoning and phishing, with subsequent malware stages managing communication with command centers via standard Windows utilities and PowerShell scripts. Post-infection, the malware disables antivirus tools using payloads like TrueSightKiller and downloads further malicious payloads, including the keylogger and miner. Threats pose significant risks to healthcare systems, especially in scenarios where infected patient-owned devices connect to hospital networks, potentially allowing broader network compromise.

A hacker, under the alias Rey from the HellCat ransomware group, infiltrated Orange Group's systems, obtaining thousands of documents including user and employee data. The stolen data, primarily from Orange Romania, comprises 380,000 unique email addresses, source code, invoices, contracts, and customer and employee information. Despite the deployment of a ransom note, Orange did not engage in negotiations with the hacker, who had access to the system for over a month. Rey exploited compromised credentials and vulnerabilities in the company's Jira software and other internal portals to gain unauthorized access. The breach was discovered after the hacker began to extract data, which went unnoticed for approximately three hours. No critical operations were affected as the breach occurred on a non-critical back-office application, with immediate actions taken to protect data and mitigate the incident. The cybersecurity and IT teams at Orange are actively working to assess and minimize the breach's impact, committing to legal obligations and cooperating with authorities.

Two new malware variants, Fuxnet and FrostyGoop, were discovered targeting industrial control systems (ICS) during the Russia-Ukraine war, significantly impacting operational technology networks. Fuxnet targeted a Moscow municipal organization and disrupted communications to critical infrastructure sensors, while FrostyGoop affected heating controls in over 600 apartment buildings in Lviv, Ukraine. These incidents mark an increase in specialized malware attacks on critical industrial systems, which are less frequent but highly consequential compared to generic IT malware. Dragos, an OT cybersecurity firm, noted these developments in its annual review, highlighting the sophisticated nature of these attacks and the potential for increased proliferation of such malware. New threat groups identified, including Bauxite, linked to pro-Iranian entities, and Graphite, with connections to Russian state actors, signaling an escalation in nation-state cyber activities targeting critical infrastructures globally. The convergence of nation-state tactics and cybercriminal activities raises concerns about more frequent and severe attacks against critical systems, as shared knowledge and capabilities enhance the threat landscape. Dragos CEO emphasized the escalation and potential consequences of ICS-specific malware, suggesting a trend towards more severe disruptions in critical infrastructure due to cyber attacks.

NetSupport RAT, using fake CAPTCHA injections, grants attackers full control over victims' systems through malicious PowerShell command executions and establishes a persistent link with a command-and-control server for ongoing manipulation. Lynx Ransomware, enhanced RaaS offering structured affiliate programs, targets various industries globally, with reported breaches involving theft of substantial data from entities like Brown and Hurley and Hunter Taubman Fischer & Li LLC. AsyncRAT campaign leverages Python payloads and TryCloudflare tunnels to distribute malware stealthily via phishing emails, installing multiple remote access trojans and worms within the victim's system. Lumma Stealer, distributed via GitHub, executes concurrently with other malwares like SectopRAT, stealing personal and browser data, and connects back to command-and-control servers for data exfiltration. InvisibleFerret, a Python-based malware disguised in fake job offers, uses advanced obfuscation to evade detection while collecting sensitive system information, subsequently executed through the BeaverTail NPM module. The ANY.RUN Interactive Sandbox is heavily utilized across these campaigns for real-time analysis and understanding of the malware's behavior, capabilities, and network communications.

Check Point researchers identified over 2,500 variants of the Truesight.sys driver being exploited to bypass EDR systems and deploy HiddenGh0st RAT. Attackers generated multiple driver variants by altering PE parts while maintaining valid digital signatures to evade detection. The malware campaign utilized a BYOVD (Bring Your Own Vulnerable Driver) attack strategy to terminate processes associated with security software. Evidence suggests Silver Fox APT, a sophisticated threat actor, might be behind this due to overlaps in tactics and historical attack patterns. The drivers and malware were spread using deceptive websites and messaging apps disguised as benign software, penetrating conventional security mechanisms. Following initial infection, the campaign deployed an EDR/AV killer module independently capable of operating to hinder security responses. The final payload involved a variant of Gh0st RAT, enabling attackers to control systems remotely for data theft and surveillance. Microsoft updated the Vulnerable Driver Blocklist as of December 17, 2024, to mitigate this attack vector and enhance protection against such exploits.

Cybersecurity firm Kaspersky identified an ongoing malicious campaign dubbed GitVenom, leveraging fake GitHub projects to distribute malware. The attack primarily targets gamers and cryptocurrency investors, using enticing but fraudulent software projects as lures. GitVenom malware has successfully stolen approximately 5 bitcoins, valued around $456,600, by hijacking cryptocurrency wallet addresses. Victims of the campaign are mostly located in Russia, Brazil, and Turkey, with the malware present in code written in languages like Python, JavaScript, and C#. This malware operates by embedding a malicious payload within seemingly legitimate software, which then downloads further malicious components. A specific Node.js module steals sensitive information like passwords and bank details, compressing them and sending the data to the attackers via Telegram. Other malicious tools downloaded include AsyncRAT and Quasar RAT for remote administration and clipper malware that alters copied wallet addresses to reroute cryptocurrencies to attackers. The reports emphasize persistent risks in processing third-party code and stress the need for rigorous verification before using or integrating such code.

Southern Water is implicated in a possible $750,000 ransom negotiation following a cyberattack by the Black Basta ransomware group. Internal chat leaks reveal that Southern Water, a UK utility provider, was targeted in January 2024 and Black Basta demanded $3.5 million. Southern Water informed NCSC and Defra about the intrusion without discussing details publicly. The cyberattack did not affect Southern Water’s operations or customer services but did involve significant IT system compromises. Despite initial reluctance, Southern Water proposed a lower ransom of $750,000 to resolve the situation quickly, as indicated in leaked chats. No confirmation exists on whether the ransom payment was accepted as the leaked conversation data is incomplete and sometimes inaccurate due to the use of AI tools like BlackBastaGPT. Information obtained from these chats should be approached cautiously as they have shown inconsistencies and potential misinformation.

Researchers have developed "H-CoT," a technique to exploit chain-of-thought (CoT) reasoning in AI models like OpenAI o1/o3 and DeepSeek-R1, designed to mimic human reasoning processes. The study, involving Duke University, Accenture, and Taiwan's National Tsing Hua University, shows how transparency in CoT models can provide attackers with insights to bypass AI safety checks. A dataset named Malicious-Educator was created, containing prompts that deceive AI models into producing unsafe content, effectively jailbreaking their safety mechanisms. The CoT models' step-by-step reasoning process, meant to improve safety, paradoxically reveals vulnerabilities that sophisticated attackers exploit. OpenAI o1/o3 models demonstrated plummeting rejection rates under H-CoT attacks, showing significant reductions in handling harmful prompts. The research underscores the urgency for AI developers to balance model transparency and security, with ongoing updates to safeguard against evolving threats. Local and cloud distinctions in AI model testing are crucial, as cloud models benefit from built-in safety filters unlike potentially more vulnerable local installations.

Multiple APAC regions, including Taiwan, Malaysia, and Japan, are targeted by phishing attacks using FatalRAT malware, distributed through legitimate Chinese cloud services. Attacks utilize sophisticated multi-stage techniques using CDNs, hiding malicious activities behind normal network operations, specializing in government and key industries like healthcare. Phishing campaigns are tailored to attract Chinese-speaking individuals, employing email lures with Chinese-language file names containing zip files initiating malware infection. The malware involves complex mechanisms to avoid detection by security tools, terminating suspect processes and performing checks against virtual or sandbox environments. Notable capabilities of FatalRAT include keystroke logging, data manipulation, and enabling remote administration tools that offer broad control over infected systems. Attribution is not definitively established, but overlaps in tactics suggest the involvement of a Chinese-speaking threat actor with medium confidence indicated by Kaspersky. This campaign aligns with previous activities from threat actor Silver Fox APT, known for similar targeting patterns and malware delivery methods.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified two actively exploited vulnerabilities in Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM). Despite no public reports, there was previous active abuse of another Oracle Agile PLM vulnerability, indicating an ongoing threat. CISA urges federal agencies to implement necessary updates by March 17, 2025, to protect against these vulnerabilities. Threat intelligence from GreyNoise points to exploitation attempts against a previously patched security flaw in Cisco devices, with significant activity from IPs based in Bulgaria, Brazil, and Singapore. Concurrently, attacks involving two critical CVEs were traced back to IPs from Switzerland and the U.S., potentially linked to Chinese state-sponsored group, Salt Typhoon. These incidents highlight the increasing challenges of nation-state activity and the importance of timely updates to mitigate cybersecurity risks.

Google is phasing out SMS-based multi-factor authentication in favor of QR codes amid growing security concerns. Although introduced in 2011, SMS one-time passcodes have shown vulnerability to attacks such as SS7 redirection and SIM swapping. The National Institute of Standards and Technology (NIST) recommended retiring SMS as a multi-factor authentication method back in 2016, due to inherent security weaknesses. Rising cases of "traffic pumping" schemes have increased operational costs, as highlighted by Elon Musk's experience with Twitter, where such fraud led to an annual loss of $60 million in SMS fees. The new QR code system will be implemented over the next few months, requiring users to scan a code rather than receive a text code. Google confirms this move will not completely eliminate the use of SMS, but will drastically reduce dependence for login purposes, aiming to minimize the attack surface for potential security breaches.

OpenAI identified and banned multiple North Korean hacker accounts using ChatGPT to target entities and conduct research on hacking methods. Detected activities align with known North Korean state-sponsored groups, including VELVET CHOLLIMA and STARDUST CHOLLIMA, which are involved in cyber espionage and financial theft. Banned accounts were used for coding assistance and the development of tools for potential cyberattacks, including Remote Administration Tools and Remote Desktop Protocol brute force attacks. Hackers also exploited ChatGPT to gather information on cryptocurrencies and debug malicious software, including staging URLs for unknown binaries. Some of these activities involved the creation and dissemination of debugging information that has since helped security vendors to better detect malicious binaries. In addition to direct hacking efforts, North Korean threat actors reportedly used ChatGPT to support employment scams aimed at infiltrating Western companies to indirectly generate revenue for Pyongyang. OpenAI has expanded its monitoring and disruption of adverse activities by state actors, including campaigns from China focused on surveillance and disinformation.

Russia’s National Coordination Center for Computer Incidents (NKTsKI) issued a warning about a security breach at LANIT, a significant IT service provider. The breach, occurring on February 21, 2025, affected LLC LANTER and LLC LAN ATMservice, part of the LANIT Group, specializing in banking technologies. LANIT is a critical player in Russia’s IT sphere, providing services to high-profile clients including the Ministry of Defense and Rostec. NKTsKI advises impacted organizations to change passwords, access keys, and remote connection credentials urgently. Enhanced monitoring of information security events and threats in systems developed or maintained by LANIT engineers is also recommended. The advisory did not reveal the method of the breach, the specifics of the stolen data, or the identities of the perpetrators. The breach raises concerns of potential widespread supply chain disruptions within Russia’s financial sector.

TV screens at the US Department of Housing and Urban Development displayed a deepfake video depicting former President Trump and Elon Musk, causing staff to unplug monitors. The video, part of an apparent prank, included the message "Long live the real king," referencing Trump's recent self-comparison to a monarch. Concurrently, significant job cuts are occurring across federal agencies, directed by Musk's DOGE project, including a controversial workforce reduction plan at HUD. Federal employees received an HR email from the Office of Personnel Management, managed under DOGE, demanding a list of weekly accomplishments, threatening non-compliance with implied resignation. Major federal departments, including the FBI and the Pentagon, advised employees against complying with the email, questioning its legality and its efficiency. Elon Musk justified the mass email as a method to weed out non-performing or fraudulent government employees. The National Science Foundation, NASA, and CISA are among key agencies facing severe workforce reductions. The incident with the HUD displays has been resolved, with all inappropriate content removed from public view.

The Australian government has banned all Kaspersky Lab products from its systems, citing significant security risks. Stephanie Foster, Secretary of the Department of Home Affairs, highlighted concerns over foreign interference, espionage, and sabotage linked to the use of Kaspersky products. The ban targets non-corporate Commonwealth entities, with some exemptions for national security and regulatory functions. Kaspersky refuted the allegations, arguing the decision lacks specific evidence and claiming it was politically motivated due to the geopolitical climate. The company criticized the lack of due process and opportunity for engagement before the directive's issuance. Similar bans on Kaspersky products have been implemented in other countries, including the U.S., Germany, and Canada, primarily citing national security concerns.