Daily Brief

WinRAR 7.10 introduces new features, including performance boosts via larger memory pages and a new dark mode. A notable update allows users to limit the propagation of Windows Mark-of-the-Web (MoTW) flags to enhance privacy. MoTW is a security tag added to files downloaded from the internet, warning users of potential risks. The updated WinRAR setting, "Zone value only," strips additional data from MoTW, leaving only the ZoneId, reducing privacy risks when files are shared. This setting is now enabled by default but can be adjusted in WinRAR's settings under "Security." While the feature aids in user privacy, it could complicate digital forensics by obscuring origination details of downloaded files. These enhancements aim to bolster both the performance and usability of the WinRAR application.

A malware campaign named "StaryDobry" has been infecting gamers globally by distributing trojanized versions of popular games like Garry’s Mod and BeamNG.drive. These cracked games, available on torrent sites since September 2024, included malicious code that triggered during the holiday seasons when detection risks were lower. The infection process involved a complex multi-stage chain that ended with the installation of an XMRig cryptominer, targeting powerful computers with at least eight CPU cores. Upon installation, the malware would check for virtual environments or security tools, terminate if detected, and proceed discreetly to avoid jeopardizing the torrent's reputation. It used resource spoofing and scheduled tasks to maintain persistence on the infected system, sending detailed system information to a command and control server. The modified XMRig miner avoided public mining pools, making the tracking of illicit mining proceeds more challenging. Kaspersky, the cybersecurity firm that reported this, couldn't attribute the campaign to any known threat actors but suggested it likely originated from a Russian-speaking entity. This strategy particularly targeted gamers using torrented games, exploiting high-end gaming systems for sustained cryptomining operations.

A new variant of Snake Keylogger is primarily affecting Windows users in Asia and Europe. This version utilizes the AutoIt scripting language for deployment, complicating detection and analysis by embedding the malware within a script. The malware is delivered via spam email attachments, logging keystrokes, capturing screenshots, and collecting clipboard data to steal sensitive information. It transmits stolen data through SMTP email, Telegram bots, and HTTP POST requests to its command-and-control server. Upon execution, the malware replicates itself in the system’s %Local_AppData%\supergroup folder with the file name ageless[.]exe and remains hidden. It ensures persistence on infected systems by placing a script in the Startup folder, allowing it to automatically run upon system reboot without requiring administrative privileges. The malware employs process hollowing and the SetWindowsHookEx API to evade detection and log keystrokes, capturing banking credentials and more. Snake Keylogger also checks the victim's IP address via a specific URL for potential geolocation tracking.

Venture capital firm Insight Partners experienced a cyber breach in January due to a social engineering attack. The breach specifically occurred on January 16, targeting the firm's information systems. Insight Partners, managing over $90 billion and involved in 800+ tech startups, responded by notifying law enforcement and employing cybersecurity experts. The firm moved swiftly to contain and investigate the breach, ensuring no ongoing access for attackers within their network. There was no immediate information on any operational disruptions or data theft, although investigations are ongoing. Insight Partners has communicated with stakeholders to encourage enhanced security measures and vigilance. The company believes there will be no significant impact on its portfolio companies or funds from this incident. Further updates are to be provided pending the outcome of the comprehensive investigation.

Chinese APT group Mustang Panda has exploited the Microsoft Application Virtualization Injector utility to inject malicious payloads. This tactic allows the malware to avoid detection by disguising it within legitimate processes, bypassing antivirus software. Trend Micro identified over 200 victims of these attacks since 2022, primarily targeting Asian-Pacific government entities through spear-phishing. The phishing emails used by the attackers mimic communications from governmental or authoritative bodies and contain malicious attachments. When specific ESET antivirus components are detected on a system, Mustang Panda employs specialized evasion techniques using pre-installed Windows tools. The malware utilizes the ‘waitfor.exe’ utility, exploiting its trust level within systems to execute malicious activities undetected. The backdoor deployed, known as TONESHELL, facilitates remote command execution and data exfiltration. Trend Micro assesses that these attacks exhibit tailored traits indicating a sophisticated toolset likely unique to Mustang Panda.

Juniper Networks addressed a critical authentication bypass vulnerability in its Session Smart Router (SSR) devices. The security flaw, identified as CVE-2025-21589, could allow network-based attackers to gain administrative control over the affected routers. This vulnerability was discovered during Juniper's internal security testing and affects not only SSRs but also Session Smart Conductor and WAN Assurance Managed Routers. There have been no reported instances of the vulnerability being exploited in the wild, according to Juniper's Security Incident Response Team. Patched versions include SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, and all subsequent releases. Juniper recommends upgrading all affected systems and notes that devices connected to the Mist Cloud may have been patched automatically. In environments managed by a Conductor, upgrading the Conductor nodes alone is sufficient to secure all connected routers though direct upgrades are still advised. Previous vulnerabilities in Juniper devices have seen attackers rapidly developing exploits, highlighting the importance of timely upgrades and patches.

OpenSSH has issued updates for critical vulnerabilities affecting SSH servers, discovered by Qualys. Two key security flaws include a decade-old MiTM vulnerability (CVE-2025-26465) and a recent DoS issue (CVE-2025-26466). The MiTM flaw exploits the 'VerifyHostKeyDNS' option, enabling attackers to hijack SSH sessions and manipulate data, even without user interaction. The DoS vulnerability, exploitable pre-authentication, uses repeated small messages to overwhelm server resources, potentially crashing systems. Affected versions extend as far back as OpenSSH 6.8p1, with the DoS flaw introduced in version 9.5p1 released in August 2023. As remediation, OpenSSH version 9.9p2 was released, addressing both vulnerabilities. Recommendations include disabling the 'VerifyHostKeyDNS' option and enforcing rate limits to manage SSH connections securely.

US newspaper publisher Lee Enterprises described a significant service disruption in a recent SEC filing, attributing it to a "cybersecurity attack." The company disclosed that threat actors had unlawfully accessed their network, encrypting critical applications and exfiltrating certain files, hinting at a double extortion ransomware scenario. The incident, first reported on February 7, has affected various business areas including product distribution, billing, collections, and vendor payments. Lee Enterprises has initiated a phased recovery, estimating several weeks until full operational status is restored, with substantial financial implications expected. Forensic investigations continue to assess whether sensitive data or personally identifiable information was compromised, with no conclusive evidence found as of the report. Temporary measures have been implemented, such as manual transaction processing and alternative distribution channels, to maintain critical business functions. The company is covered by a comprehensive cybersecurity insurance policy that assists with costs related to incident response and potential regulatory fines. Despite recovery efforts, operational disruptions persist, affecting print and digital product distributions and causing delays and format reductions in certain publications.

Compliance with security frameworks like PCI-DSS does not ensure protection against data breaches, as demonstrated by recent costly breaches at major corporations. Many organizations treat compliance as a final goal rather than a baseline, focusing on audit passage rather than real-world security effectiveness. Adversaries exploit vulnerabilities overlooked during compliance-driven security checks, such as unpatched software or misconfigurations. Proactive security measures, including real-world attack simulations and continuous validation, are crucial to identify and mitigate potential attack vectors. Regular security testing, such as penetration testing and red teaming, helps organizations understand the actual performance of their defenses. A shift from compliance-focused strategies to proactive, continuous testing and validation is necessary to protect against evolving cyber threats. Continuous security measures like testing and updating defenses in response to new vulnerabilities are essential in staying ahead of attackers. Organizations must realize that compliance is only a starting point and invest in validating and improving their security measures through proactive testing.

Two severe vulnerabilities have been identified in OpenSSH that could lead to Man-in-the-Middle (MitM) and DoS attacks. CVE-2025-26465 allows for a MitM attack where an attacker can trick the client into accepting a fraudulent key, compromising session integrity. This vulnerability enables unauthorized access to sensitive data by potentially intercepting or tampering with SSH sessions. CVE-2025-26466 could repeatedly destabilize server availability, lock out legitimate users, and disrupt administrative operations. Both security issues have been resolved in the newly released OpenSSH version 9.9p2. Qualys Threat Research Unit, which disclosed these flaws, had previously reported another critical OpenSSH vulnerability, indicating ongoing security risks. Organizations using OpenSSH are urged to update to the latest version immediately to protect against potential exploits.

Two significant vulnerabilities discovered in OpenSSH allowing Man-in-the-Middle (MitM) and Denial-of-Service (DoS) attacks. The vulnerabilities, identified as CVE-2025-26465 and CVE-2025-26466 by Qualys, were patched promptly after confirmation. The MitM vulnerability exploited the VerifyHostKeyDNS option being set to "yes" or "ask," previously a default setting, risking encrypted data interception. The DoS attack involves asymmetric resource consumption which could lead to severe outages and maintenance issues. CVE-2025-26465 had been present since December 2014, while CVE-2025-26466 was introduced in August 2023. OpenSSH version 9.9p2 has been released with patches addressing both vulnerabilities, along with acknowledgements to Qualys for their contributions. Security experts stress the importance of applying these patches immediately, despite the moderate severity scores, due to the potential misuse of the widely-used OpenSSH tool in critical environments. These breaches could potentially lead to extensive reputational damage, compliance violations (e.g., GDPR, HIPAA, PCI-DSS), and critical operational disruptions.

Chinese hacker group Mustang Panda exploited Microsoft's MAVInject.exe to inject malware and evade detection by ESET antivirus systems. Trend Micro identified the use of MAVInject.exe for proxy execution of malicious code, targeting systems specifically using ESET. The hacking technique involved multiple file drops, including legitimate executables and a decoy PDF, using Setup Factory to maintain persistence. The attack chain began with an executable designed to target Thai users, suggesting spear-phishing as the initial attack vector. A modified version of the TONESHELL backdoor, embedded in a legitimate Electronic Arts application, was used to sideload malicious code. Upon detecting ESET processes, MAVInject.exe was deployed to execute the malware without triggering antivirus alerts. The malware decrypted shellcode to establish remote connections, enabling command execution, file movement, and deletion on the compromised systems. Data exfiltration was facilitated through a command-and-control server, indicating extensive planning and execution capabilities by the attackers.

Finastra, a global fintech leader, reported a data breach originating in October 2024, affecting unknown numbers of individuals. The breach was detected on November 7, 2024, after noticing malicious activity on their Secure File Transfer Platform (SFTP). Attackers accessed the SFTP multiple times between October 31 and November 8, 2024, specifically obtaining certain files on the first day. Although data was extracted, Finastra believes there is a low risk of misuse of the stolen information and has no evidence of data being copied, retained, or shared further. Initial reports indicate at least 65 people in Massachusetts had their financial account details stolen. Victims are being offered two years of free credit monitoring and identity restoration services by Finastra through Experian. A threat actor on BreachForums, known as "abyss0," claimed to sell 400GB of data allegedly from Finastra, though the company has not confirmed this data's origins. Past security issues include a ransomware attack in March 2020 and critique regarding unpatched servers vital for their network security.

The FBI and CISA advocate for replacing older programming languages like C due to their susceptibility to buffer overflow bugs, a major security risk. Despite its powerful capabilities, C lacks modern safeguards, making it comparable to using a chainsaw without a safety guard. Modern programming languages offer more robust defenses against such vulnerabilities, highlighting a pressing need to update or improve coding practices. The reluctance to move away from C in professional environments is compared to chainsaw jugglers not wanting to switch to safer equipment, reflecting cultural and technical inertia. Major tech companies are criticized for not investing sufficiently in code testing and safety, prioritizing expenditures elsewhere, like AI, over basic code integrity. Transitioning to safer programming practices and languages is not just a technical challenge but also a cultural shift within organizations. The article suggests that the legal landscape could evolve to hold companies accountable for avoidable coding errors, pushing the industry towards better practices. Ultimately, using more secure code and eliminating outdated practices will provide competitive advantages and are seen as inevitable for future sustainability and safety in tech.

Cybersecurity researchers have discovered a new malware called FrigidStealer targeting macOS users through fake browser updates. A threat actor identified as TA2727, uses web injects on compromised websites to distribute various malware payloads including those targeting Windows and Android devices. TA2727 collaborates with TA2726, a malicious traffic distribution system operator that aids in spreading malware by compromising web servers and sites. The campaign simulates legitimate browser updates to deploy different malware based on the user's geographic location or device type. In instances in Europe, for example, users are directed to download malware that installs information stealers or banking trojans depending on the device used. The macOS-directed part of the campaign tricks users into launching an unsigned app, bypassing Gatekeeper security, to install FrigidStealer. FrigidStealer on macOS exploits AppleScript to gain elevated privileges and harvest sensitive information from various applications, including cryptocurrency apps. The report is a part of ongoing observations of evolving stealer malware tactics that emphasize customization of payloads to the environment of the target.