Daily Brief

Security researchers from DataDog uncovered a vulnerability in Amazon EC2 allowing potential unauthorized code execution via Amazon Machine Images (AMI). The flaw, referred to as "whoAMI," enables attackers to publish AMIs mimicking legitimate ones to gain access to AWS accounts indirectly. Attackers exploit misconfigured AMI retrieval processes in AWS, where an omission of specific AMI owner filters returns both legitimate and malicious AMIs. Amazon confirmed the vulnerability and introduced security patches and new protocols, such as 'Allowed AMIs' for enhanced user protection. Despite the fix, the vulnerability persists on the customer side due to outdated codes not incorporating Amazon's security updates. DataDog’s tools now include a scanner for AWS accounts to identify EC2 instances running unauthorized AMIs, urging users to update configurations and verify sources. Amazon urges users to specify AMI owners and utilize the 'Allowed AMIs' feature to safeguard against potential security risks from misconfigured AMIs.

Salt Typhoon, a Chinese espionage group, has exploited vulnerabilities in Cisco devices, compromising networks across the globe. Recorded Future’s Insikt Group reports the group successfully hacked into at least seven devices from over 1,000 attempts targeting global telecom providers. Targets included significant telecommunications firms and ISPs in the US, UK, Italy, South Africa, and Thailand, as well as multiple universities worldwide. The espionage efforts focused on harvesting telecommunications, engineering, and technology research, with universities like UCLA among the targeted. Attackers used CVE-2023-20198 and CVE-2023-20273 in Cisco’s software for initial access and root privilege escalation respectively. The operation enabled persistent access to networks through generic routing encapsulation (GRE) tunnels and affected regions included the US, South America, and India. After prior compromises of major US telecoms like Verizon and AT&T, US issued sanctions against Salt Typhoon-affiliated Chinese cyber firms and called for stronger network security measures.

Zacks Investment Research reportedly experienced another data breach, affecting about 12 million user accounts. A hacker posted customer data including full names, usernames, and contact details on a hacker forum in January, claiming the data was from a June 2024 breach. The leaked data also included source code from Zacks.com and other related websites, which the threat actor claimed to have accessed. Have I Been Pwned (HIBP) added the Zacks database to their service, confirming the leak included 12 million unique email addresses and additional personal information. Roughly 93% of these email addresses had already surfaced in previous breaches, either at Zacks or other platforms, according to HIBP. Although Zacks has previously disclosed breaches in 2023, the company has not officially confirmed this latest incident. The repeated breaches at Zacks raise concerns about the firm's cybersecurity practices and data protection capabilities.

US Senators have urged DNI Tulsi Gabbard to oppose the UK's request for Apple to create a backdoor in iCloud encryption, highlighting risks to data security. This request arises under the UK's Investigatory Powers Act, which may allow access to encrypted user data globally. Legislators argue the backdoor could compromise the security of US citizens and governmental agencies relying on Apple's encrypted services. Concerns raised about the loss of secure, end-to-end encryption leading to potential exploitation by malicious entities, referencing a recent data breach involving Microsoft systems by PRC-linked hackers. The lawmakers insist that weakening encryption undercuts long-held US positions that strong encryption is vital for national security. They suggest reconsidering US-UK cybersecurity collaborations and intelligence sharing if the UK persists with its encryption backdoor demand. The ultimatum to the UK reflects urgent action against potential erosion of US cybersecurity and privacy protections. The request has implications for international cyber policy and encryption standards debates.

A phishing campaign targeting Webflow CDN uses fake PDFs to deceive users and steal credit card information. Attackers exploit search engine queries to redirect users to malicious PDFs embedded with counterfeit CAPTCHA challenges. Once engaged, the CAPTCHA directs users to a page falsely asking for personal and credit card details under the guise of document download. Victims entering credit card info receive an erroneous message to re-enter details, concluding with redirection to an error page after multiple attempts. The phishing method effectively bypasses traditional security scanners, exploiting them with layers that mimic legitimate CAPTCHA validations. Related to this technique, a phishing kit called Astaroth is marketed in cybercrime circles, enabling credential theft and 2FA bypass through a reverse proxy setup. This malicious activity has been persistent since the second half of 2024, indicating a well-organized and evolving threat.

Chinese threat actor Emperor Dragonfly used espionage tools in a ransomware attack against an Asian software company, demanding $2 million. Researchers from Symantec and Palo Alto Networks linked the actor to both state-backed espionage and the cybercriminal ransomware group RA World. The tools used included PlugX backdoor and unusual tactics like DLL sideloading, indicating sophisticated operational capabilities. The attack strategy involved exploiting vulnerabilities and deploying ransomware post-espionage activity, suggesting a dual purpose for financial gain and intelligence collection. Symantec's report detailed the operational overlap and shared tools between state actors and cybercriminals, providing indicators of compromise for defensive measures. The attackers’ methods exemplify a growing trend where state-sponsored operatives engage in cybercrime, potentially to supplement state objectives or for personal profit.

A North Korean threat actor, identified as APT43, is actively targeting South Korean sectors including business, government, and cryptocurrency. The campaign, named DEEP#DRIVE, employs phishing strategies using Korean language documents appearing as legitimate work files. Attack vectors include .HWP, .XLSX, and .PPTX file formats sent via email, deceptively labeled as work logs, insurance, and crypto-related documents. The malicious operation utilizes PowerShell for various attack stages and Dropbox for payload delivery and data theft. Initial intrusion begins with a .LNK file in a ZIP archive, which triggers PowerShell execution for both payload delivery and establishing persistence. Dropbox API with OAuth token-based authentication is used for discreet data exfiltration, showcasing a dynamic and stealthy use of cloud infrastructure to avoid detection. Researchers indicate the campaign's sophisticated nature, involving obfuscation and evasion tactics, has been active since at least September of the previous year.

An upcoming webinar aims to harmonize the efforts of development and security teams to achieve both speedy deployments and robust security. Titled "Opening the Fast Lane for Secure Deployments," the session is presented by Palo Alto Networks and focuses on embedding security practices early in the development process. Sarit Tager, VP of Product Management at Palo Alto Networks, will discuss strategies for secure coding without compromising on deployment speed. The webinar addresses common issues such as security checks slowing down the development process and the risks of expedited deployment without these checks. Key benefits highlighted include reduced delays, decreased stress among teams, and a more effective path to project launches. The session promises practical, straightforward strategies that benefit both developers and security specialists, encouraging faster and safer project outcomes. Participants are invited to learn about creating a workflow that equally prioritizes speed and security, aiming to eliminate the need for compromise between the two.

North Korea's current cyber campaign targets crypto developers using the NPM registry, affecting owners of Exodus and Atomic wallets. The campaign utilizes a JavaScript implant, Marstech1, which hides in GitHub repositories and NPM packages, already claiming 233 victims. Marstech1 features advanced obfuscation techniques to evade detection and directly targets cryptocurrency wallets on multiple operating systems. The implant’s capabilities include scanning for wallets, extracting their metadata, and employing command-and-control communications over an unusual port (3000). Security researchers observe significant advancements in the implant's stealth and functionality, indicating an evolution in the Lazarus Group’s tactics. GitHub has deactivated an account linked to the Lazarus Group, which had been inserting malicious code into NPM. Microsoft revealed that another North Korean group, Kimsuky, has been engaging in espionage by posing as South Korean officials to execute malicious codes via email. Experts emphasize the importance of proactive security measures and continuous monitoring to protect against these sophisticated, supply chain-based attacks.

In November 2024, a South Asian software company was targeted with RA World ransomware deploying Chinese espionage tool PlugX. Exploitation of a Palo Alto Networks PAN-OS flaw (CVE-2024-0012) was claimed by the attackers for initial access. Symantec uncovered the use of malware previously linked exclusively to Chinese nation-state cyberespionage in this financially motivated attack. Past uses of the same tools involved extensive espionage targeting Southeast Asian and European government and telecom entities. Similarities were noted between the ransomware used and methods associated with a Chinese threat group known for short-lived ransomware operations. It’s hypothesized that a lone actor from the state-linked espionage groups exploited this opportunity for personal financial gain, a rare occurrence in Chinese cyber activities. It is part of an observed pattern where sanctioned espionage actors may also conduct financial attacks to support their state-funded missions. The broader context includes similar nation-state attacks by Chinese groups, including the Salt Typhoon's exploits of Cisco device vulnerabilities in global telecoms.

AI is increasingly integrated into business operations via chat interfaces, data analysis, and user preference systems, raising new security concerns, particularly regarding identity. Various AI technologies include symbolic AI, machine learning (ML), and Large Language Models (LLM), which power many contemporary applications like chatbots and content generation. Identity challenges in AI applications include necessary user authentication, secure API interactions on users' behalf, handling asynchronous workflows, and authorizing data retrieval for AI processing. Secure AI deployment requires addressing these identity aspects to fully leverage the potential of Generative AI (GenAI) applications without compromising security. The adoption of AI amplifies the ability of attackers to perform sophisticated attacks such as social engineering and exploiting vulnerabilities at scale. Traditional security solutions such as multi-factor authentication (MFA) are inadequate alone, hence integrating AI into security strategies can enhance detection of anomalies like bots and stolen sessions. The article discusses the double-edged nature of AI in the realm of security, illustrating both the opportunities for enhanced security measures and the heightened risks from advanced threat vectors.

Palo Alto Networks has resolved a high-severity vulnerability in PAN-OS, preventing an authentication bypass exploit. The flaw, identified as CVE-2025-0108, could allow unauthenticated network access to the management web interface without required authentication. Although the exploit does not permit remote code execution, it compromises the integrity and confidentiality of the PAN-OS system. When the management interface access is limited via a jump box, the CVSS score reduces from 7.8 to 5.1. The issue stemmed from a discrepancy in how the system's Nginx and Apache servers processed requests, leading to potential directory traversal attacks. Recommendations include disabling or restricting internet access to the management interface and optional disabling or uninstallation of the OpenConfig plugin. Adam Kues, a researcher from Searchlight Cyber/Assetnote, discovered and reported the vulnerability. Alongside this fix, updates were issued for two additional flaws in the PAN-OS software.

A sophisticated malware campaign called FINALDRAFT has targeted the foreign ministry of a South American country and entities in Southeast Asia. Detected by Elastic Security Labs in November 2024, the attacks used highly engineered malware to gain remote access to infected systems. Threat actors exploited Microsoft's Graph API, and communication involved email drafts to execute and control malicious operations. The malware, discovered in both Windows and Linux systems, shows capabilities for process injection, file manipulation, and network proxy operations. Attackers had access to valid network credentials, enabling lateral movement and further compromise within targeted networks. Despite the high technical sophistication of the tools used, inconsistencies and poor management marked the espionage campaign. FINALDRAFT not only infects processes but can execute shell commands and auto-delete on Linux, showing cross-platform functionality. Researchers underline the well-organized nature of the malware developers and the likelihood of the campaign being espionage-driven.

Palo Alto Networks' firewalls have been experiencing random reboots due to a specific network traffic issue. Reports indicate multiple instances of hardware running PAN-OS version 11.1.4-h7/h9 unexpectedly shutting down. Palo Alto has created a hotfix (version 11.1.4-h12) to address the reboot issue, initially released with limited access. A general availability update of the hotfix, including additional fixes (version 11.1.4-h13), is anticipated by February 20 to enhance system optimization and security. The nature of the network traffic causing the reboots or details of the technical flaw have not been disclosed due to security reasons. Additionally, Proofpoint faced a separate issue where a corrupted detection rule led to email delivery problems, which has now been resolved. These incidents underline the vulnerabilities in cybersecurity infrastructure used by major corporations and the importance of prompt and efficient issue resolution.

Troy Hunt, owner of Have I Been Pwned (HIBP), is contemplating banning resellers due to their disproportionate support demands and marked-up pricing. Resellers account for only 0.86% of HIBP subscribers but have generated 15.6% of all support tickets, with queries that are five times more time-consuming than other customers. Despite the valuable service HIBP provides in alerting users to data breaches, resellers often inflate subscription costs significantly, with one marking up the price from $1,100 to $2,544. Hunt aims to simplify the subscription model, likening it to services like Netflix, and is considering automated solutions to reduce the need for direct interaction with resellers. He has also expressed a preference for working with managed service providers (MSPs), who he believes add more value to HIBP's offerings. In response to reseller behaviors which Hunt described as “shitty,” including unreasonable pricing complaints and complex support inquiries, a ban on resellers is strongly being considered. HIBP has implemented technology to automate responses to personal information removal requests, streamlining the process and offering users options on how their data is handled.