Daily Brief

Genea, a major provider of fertility services in Australia, disclosed a breach where unauthorized access was obtained to their network. The incident was announced after the company detected suspicious activities that led to the realization of compromised systems and data access. It remains undetermined what specific data was accessed, but it may include sensitive personal information of patients. Genea is urgently working to ascertain the full extent of the breach and is taking steps to restore affected servers and secure their systems. Communication plans are in place to inform affected individuals, particularly if personal information was compromised. The company has apologized for the incident, reiterated its commitment to data security, and is focusing on minimizing treatment disruption for its patients. This breach coincides with recent technical issues including a phone outage and reports of downtime on the MyGenea patient app.

FakeUpdate malware campaigns are deploying macOS-specific FrigidStealer malware through fabricated browser update alerts. Two cybercrime groups identified as TA2726 and TA2727 are collaborating in these campaigns; TA2726 distributes traffic while TA2727 handles malware dissemination. The campaigns target various operating systems; Mac users receive FrigidStealer, Windows users encounter Lumma Stealer or DeerStealer, and Android users are affected by the Marcher trojan. FrigidStealer, a sophisticated info stealer based on the WailsIO framework, appears legitimate to bypass user suspicion during installation. Once installed, FrigidStealer harvests a wide range of sensitive data including passwords, crypto wallet information, and sensitive notes, and exfiltrates this data to a command and control server. Infostealer malware attacks pose significant financial and privacy risks, leading to potential data breaches and ransomware incidents. Users are advised to ignore prompts for updates or downloads from websites to avoid infostealer infections, and to change passwords immediately if infected.

Multiple Russia-aligned threat actors are exploiting Signal's 'linked devices' feature to hijack accounts using malicious QR codes. Google Threat Intelligence Group reports that these attacks permit threat actors to listen into victims' conversations in real-time by linking the victims' Signal accounts to threat actor-controlled instances. These malicious QR codes often disguise themselves as group invites, security alerts, or legitimate device pairing instructions. Specific hacker collectives named include UNC5792, which mimicked Signal group invites, and UNC4221, targeting Ukrainian military personnel with a custom phishing kit. Other groups such as Sandworm and Turla have also targeted Signal using different methods such as scripts and utilities to exfiltrate data. Microsoft and Volexity have also noted a similar focus on secure messaging apps, indicating an intensified threat to these platforms. This increased targeting of secure messaging apps like Signal by nation-state actors raises significant privacy and security concerns.

Palo Alto Networks identified a file read vulnerability (CVE-2025-0111) being used in an attack chain with CVE-2025-0108 and CVE-2024-9474 to exploit PAN-OS firewalls. The authentication bypass vulnerability CVE-2025-0108 and the privilege escalation flaw CVE-2024-9474 were first disclosed and patched by Palo Alto Networks. Assetnote researchers demonstrated a proof-of-concept exploit chaining CVE-2025-0108 with CVE-2024-9474 to gain root privileges on unpatched firewalls. Threat intelligence firm GreyNoise detected an increase in exploit attempts from initially two IP addresses to 25, with primary sources from the U.S., Germany, and the Netherlands. Despite patches being released, many devices remain unsecured with a large number of PAN-OS devices still exposing their web management interface to the internet and remaining unpatched. Approximately 65% of the scanned devices are vulnerable to at least one of the three vulnerabilities according to research. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has urged federal agencies to patch or stop using the affected PAN-OS versions by March 11, 2025, due to the ongoing exploitation.

Cybercriminals are increasingly targeting web browsers, shifting focus from traditional perimeter defenses to exploiting the browser’s integral role in daily operations. Browser-based attacks, including malware reassembly and advanced phishing, exploit web applications and manipulate page content in real time, evading standard detection by firewalls and endpoint security. Attacks such as ClearFake and SocGolish use dynamic assembly of malicious code within the browser, making them largely invisible to conventional security tools. Keep Aware provides tools for real-time visibility and threat prevention in browsers, including telemetry and DOM-tree analysis, enhancing detection and response capabilities. New phishing strategies bypass automated detection by using sophisticated, multi-step tactics that impersonate trusted services like Microsoft and exploit platforms like Google Docs. The security of browser extensions is a growing concern, highlighted by incidents like the compromised Chrome Web Store account, demonstrating the need for real-time monitoring and strict enforcement policies. Traditional security models fall short because they overlook the browser’s Document Object Model (DOM), necessitating a shift to browser-native detection models that monitor real-time session behaviors and interactions. Organizations are urged to integrate Browser Detection & Response (BDR) into their security frameworks to effectively counter the evolving landscape of browser-based cyber threats.

WinRAR 7.10 introduces significant upgrades, including better memory management and a new dark mode. A notable feature is the "Zone value only" setting which enhances privacy by stripping additional metadata from downloaded files. This setting only retains the security zone value in the Mark-of-the-Web, excluding the download location or IP address. The Mark-of-the-Web feature in Windows adds security by warning users about the potential risks of files downloaded from the internet. WinRAR’s update allows users to choose the extent of data shared via Mark-of-the-Web to prevent unwanted disclosure of download sources. Privacy concerns are addressed with this update, offering users more control over their data security and sharing. The update still supports complete propagation of Mark-of-the-Web data for users requiring detailed file source information for purposes like digital forensics.

Sensitive medical records were discovered on hard drives purchased for just €5 each at a flea market next to Weelde airbase in the Netherlands. The data, which included Dutch Social Security numbers, dates of birth, home addresses, and medication details, totaled 15GB and spanned from 2011-2019. The files were traced back to a defunct software company, Nortade ICT Solutions, formerly based in Breda, which specialized in healthcare sector software. Dutch law requires professional erasure of medical data storage devices, a step apparently skipped by Nortade ICT Solutions, leading to this breach. After the discovery, the buyer returned to the flea market and secured an additional ten hard drives containing similar sensitive information. It is uncertain how the drives ended up at the market; however, negligence seems apparent as professional destruction of such data carriers is mandated but costly. Security experts advocate for multiple methods of securely erasing data from disks, including overwriting and physical destruction. This incident highlights significant lapses in data protection and the consequent risks to personal privacy and security.

A new version of Snake Keylogger malware is targeting Windows users across China, Turkey, Indonesia, Taiwan, and Spain, leveraging AutoIt scripting to evade detection. Over 280 million infection attempts have been blocked globally since the year began, according to Fortinet FortiGuard Labs. Snake Keylogger is primarily distributed via phishing emails with malicious attachments or links, designed to steal sensitive data from web browsers by logging keystrokes and capturing credentials. The malware utilizes SMTP and Telegram bots to exfiltrate stolen information to attacker-controlled servers. The AutoIt scripting language complicates the malware’s analysis and mimics legitimate automation tools, helping it bypass traditional detection methods. Persistence mechanisms involve dropping copies into specific system folders to ensure the malware reloads upon system reboot, maintaining long-term access. The malware injects its payload into legitimate .NET processes to hide its presence, utilizing a technique known as process hollowing. The attacks are part of a larger trend of using obfuscated files and deceptive techniques to deploy malware, such as Lumma Stealer through compromised educational infrastructure, targeting multiple industries.

Russian-aligned threat actors have used phishing campaigns to access Signal accounts through the "Linked Devices" feature. Google Threat Intelligence Group highlighted that malicious QR codes were created to trick users into syncing their Signal messages with attacker-controlled devices. Notably, the campaigns varied from broad phishing to targeted attacks with specific interests, adapting the deception techniques accordingly. The phishing methods were so sophisticated that one, identified as UNC5792, mimicked actual Signal group invites to redirect users to malicious URLs. Another cluster, known as UNC4221, targeted Ukrainian military personnel specifically with a bespoke phishing kit that resembled the Kropyva software used for military operations. Russian and Belarusian actors have also sought access to Signal's database files on Android and Windows using malware and scripts. The incidents illustrate a significant risk for extended, undetected compromise of Signal accounts, advocating for heightened security measures like updated apps, complex passwords, and two-factor authentication.

Increasing demand for cybersecurity services presents a prime opportunity for MSPs and MSSPs to adopt and offer virtual Chief Information Security Officer (vCISO) services. The guide, in collaboration with Jesse Miller of PowerPSA Consulting, provides actionable advice on how to structure, price, and market vCISO services effectively. Key initial steps include assessing existing security offerings and client segments to identify ideal targets for vCISO services, emphasizing upselling to current clientele before acquiring new ones. Structuring vCISO services requires a systematic approach that includes categorizing clients by security maturity, streamlining service delivery with automation, and leveraging existing frameworks for consistent outcomes. Effective selling of vCISO services involves understanding client business objectives, aligning cybersecurity as a strategic asset, and setting clear expectations for outcomes and service scopes. Building long-term client trust necessitates marrying technical security expertise with an understanding of business challenges and objectives, positioning MSPs as strategic advisors. The guide points out several hidden costs in offering vCISO services and emphasizes the importance of strategic hiring, client education, and the use of efficient tools for maintaining profitability. With tools such as Cynomi's AI platform and methodologies like PowerPSA's PowerGRYD system, MSPs and MSSPs can address common challenges and scale their vCISO offerings successfully.

A London-based talent agency, known for representing high-profile clients, self-reported a ransomware attack to the UK's ICO. Rhysida ransomware group claimed responsibility for the attack and has already published sensitive data online, including passport scans of the agency's clients. The data in question is reportedly being auctioned off for 7 Bitcoins ($678,035), with a deadline for payment set by Rhysida. The ICO is currently making enquiries into the incident, noting that reporting to them does not always imply a punishable data security breach. Rhysida is known for high-profile attacks but is not ranked among the top ransomware groups in recent analyses. Previous victims of similar ransom demands by Rhysida, such as the British Library, have faced significant recovery costs, indicating potential financial implications for the agency. General recommendations in the wake of such attacks include patching vulnerabilities, particularly in VPNs, and enabling multi-factor authentication.

Kaspersky detected a malware campaign named StaryDobry starting December 31, 2024, leveraging trojanized video game installers to deploy cryptocurrency miners. The campaign targeted Windows users globally, with a particularly high infection rate in Russia, Brazil, Germany, Belarus, and Kazakhstan. Affected games include popular titles like BeamNG.drive, Garry's Mod, and Dyson Sphere Program, which were used as bait on torrent sites. The malware, disguised as game setup files, checks the system environment to evade detection and debugging. Upon execution, it gathers user IP and system information, then installs a modified XMRig miner to exploit systems with 8 or more CPU cores. The operation appears sophisticated with multistage payload delivery, including a final stage that communicates with a remote server to fetch the mining code. The attack chain indicates a Russian-speaking perpetrator, although specific crimeware groups are not identified.

CISA has included two security vulnerabilities from Palo Alto Networks and SonicWall in its KEV catalog due to active exploitation. The affected products are Palo Alto Networks PAN-OS and SonicWall SonicOS SSLVPN. Palo Alto Networks confirmed ongoing exploitation attempts against its CVE-2025-0108, which could be linked with CVE-2024-9474 to access unprotected firewalls. Threat intelligence from GreyNoise highlighted significant exploitation activity, with 25 IP addresses linked to attacks on CVE-2025-0108, mainly from the U.S., Germany, and the Netherlands. Arctic Wolf reported that CVE-2024-53704 is being actively exploited following the release of a proof-of-concept by Bishop Fox. Federal agencies under the FCEB are required to patch these vulnerabilities by March 11, 2025, to prevent potential security breaches.

Health Net Federal Services (HNFS) and parent company Centene Corporation agreed to pay $11.25 million to settle allegations of falsely certifying infosec compliance in a Department of Defense contract. Neither Centene Corporation nor HNFS admitted guilt, and no liability was determined as part of the settlement. The settlement resolves claims from a decade ago concerning HNFS's administration of the TRICARE health program, impacting servicemembers and their families across 22 states. Allegations included ignoring third-party security audits and failing to adhere to required cybersecurity practices like vulnerability scanning and patch management. The Department of Justice noted that from 2015 to 2018, HNFS falsely certified compliance while neglecting several cybersecurity standards. No data theft or loss was reported, despite the significant cybersecurity shortcomings, which could have exposed sensitive health and personal information. This case highlights the critical importance of securing sensitive government information, particularly concerning the health data of military personnel and their families.

Palo Alto Networks recently patched a critical 8.8-rated flaw, CVE-2025-0108, which was exploited alongside two other vulnerabilities to gain root access on firewalls. Attackers are actively exploiting these vulnerabilities by chaining CVE-2024-9474, CVE-2025-0108, and CVE-2025-0111 vulnerabilities, compromising the integrity and confidentiality of the PAN-OS. The most concerning issue involves an authentication bypass that lets unauthenticated users access certain PHP scripts within PAN-OS’s management web interface. Palo Alto Networks has confirmed increasing exploitation attempts and has urgently recommended users upgrade their PAN-OS systems to versions 10.1, 10.2, 11.0, 11.1, and 11.2. Best practices suggest limiting internet-facing management interfaces to minimize risk, as exposing these interfaces presents significant security threats. The company issued updates and patches on February 12, 2025, with further updates pending to address additional related issues, including firewall reboots caused by specific network traffic. Despite patches and updates, unpatched systems still pose risks due to potential internal exposures even with restrictive access configurations.