Daily Brief

Democrats have raised security and legal concerns about an email server rapidly installed by the Department of Government Efficiency (DOGE) at the U.S. Office of Personnel Management (OPM) following President Trump's inauguration. The server was reportedly used to send mass emails to federal employees including severance offers, actions which came under scrutiny and led to a lawsuit demanding a mandatory privacy impact assessment. Congressional Democrats have officially demanded answers from the OPM acting director regarding the compliance of this server with the 2002 E-Government Act, specifically concerning privacy impact assessments. Questions have also been raised about the exclusion of senior OPM staff from critical systems and the integrity and safety of the data handled by the newly added IT systems. The controversy stems from historical cyber intrusions at the OPM, notably a significant breach in 2014 which was attributed to Chinese hackers and resulted in the theft of sensitive information of over 21 million government workers. Democrats are concerned about further risks to sensitive data pertaining to federal employees and the potential access by foreign adversaries such as China and Russia, given the chaotic and potentially negligent introduction of the DOGE server. There are additional concerns about the overall transparency of the DOGE, as reported measures indicate an impending reduction in public oversight and access to DOGE's operational communications. The ongoing situation could impact federal data governance, prompting calls for stricter oversight and compliance with federal data protection laws.

The FCC has proposed fining Telnyx $4.5 million following an incident where scammers used their VoIP service to impersonate FCC employees. Scammers targeted FCC staff and family members, claiming to be from a non-existent FCC Fraud Prevention Team, demanding payment in Google gift cards. The robocall scam lasted a day before Telnyx was alerted and subsequently blocked further calls. FCC Commissioner Brendan Carr emphasized that combating illegal robocalls is a high priority, supporting the bipartisan decision for the fine. Republican commissioner Nathan Simington dissented, citing a recent Supreme Court decision that might require a jury trial before imposing fines. Telnyx disputes the fine, claiming it acted quickly and effectively to stop the robocalls and has historically complied with FCC regulations on managing illegal calls. The FCC and Telnyx may negotiate a settlement, with the FCC appearing confident in its position that providers must diligently manage their networks to prevent fraud.

Microsoft has issued a PowerShell script for updating Windows bootable media to utilize the new "Windows UEFI CA 2023" certificate to counteract the BlackLotus UEFI bootkit. BlackLotus can bypass Secure Boot, allowing it to override the OS boot process, disable key Windows security features, and deploy malware undetected. The security update to mitigate the BlackLotus bootkit-related Secure Boot bypass, tracked as CVE-2023-24932, has been released but is disabled by default to prevent potential boot issues. This staged rollout enables Windows admins to test the fix, which adds the "Windows UEFI CA 2023" certificate to the UEFI Secure Boot Signature Database and revokes older, vulnerable boot managers. Microsoft advises that recovery or installation media must be updated with the new certificate to ensure functionality post-mitigation. The PowerShell script is available for download, requiring the installation of the Windows ADK to function correctly, and supports updating various types of bootable media. Microsoft has planned to enforce these security updates fully by the end of 2026, promising to give a six-month notice before initiation.

Opposition exists among Linux kernel maintainers against incorporating Rust, viewing multi-language codebases as problematic. Kernel maintainer Christoph Hellwig resists a proposed Rust integration for managing DMA, advocating for maintaining purely C-based code for simplicity and maintainability. Hellwig argues that adding languages besides C complicates Linux kernel upkeep and could jeopardize the project’s integrity and longevity. The Rust for Linux project aims to introduce Rust, which proponents believe can enhance security and reliability by avoiding common C/C++ memory safety bugs. Resistance from maintainers like Hellwig is based on concerns over maintainability and the challenge of managing code written in multiple languages. The debate highlights a broader conversation on modernizing programming languages used in foundational technology like the Linux kernel while balancing tradition and progress. The outcome of this debate may significantly influence the future development path and security posture of the Linux kernel.

The U.S. Treasury has granted Tom Krause, CEO of Citrix, "read-only" access to the government's payment system which handles trillions of dollars annually. Krause is part of DOGE, an initiative led by Elon Musk aimed at increasing government efficiency during President Trump's administration. This team has gained access to key federal computer systems. Senators Ron Wyden and Elizabeth Warren have expressed concerns about the lack of experience of Musk’s DOGE team and the potential risks of their access to sensitive systems. Treasury Secretary Scott Bessent explained in a memo that this access is part of an "operational efficiency assessment" and assured that all standard privacy and security protocols are being followed. The DOGE team's probe into federal operations includes potentially shutting down inefficient or inappropriate programs, as determined by Musk and his team. The presence of private sector leaders in significant government roles raises further concern about potential conflicts of interest and security protocols. Public and political reaction includes skepticism and caution regarding the motives and implications of Musk's increasing influence in governmental operations.

The FCC has proposed a $4.49 million fine against Telnyx, a VoIP service provider, for allowing robocalls that impersonated an FCC fraud team. Robocallers utilized Telnyx’s services to make nearly 1,800 imposter calls, even reaching FCC staff and family members with demands for payments in gift cards. The callers, using fake names and similar account details, originated from IP addresses in Scotland and England but registered addresses in Canada. According to the FCC, these calls aimed to intimidate and defraud recipients, falsely claiming affiliation with a non-existent FCC fraud prevention team. The FCC alleges Telnyx did not adhere to Know Your Customer (KYC) rules essential for preventing misuse of telecommunications services. Telnyx refutes the FCC's claims, asserting compliance with industry standards and regulations concerning KYC practices and expressing surprise at the FCC's decision. The FCC emphasizes the importance of cracking down on illegal robocalls and ensuring that providers take responsibility for securing their networks against fraudulent activities.

Ransomware payments decreased by 35% in 2024, totaling $813.55 million, a significant drop from $1.25 billion in 2023. The decrease in payments occurred even though 2024 experienced an all-time high of 5,263 successful ransomware attacks. Only 30% of victims who entered negotiations with ransomware actors ended up paying the ransom, with rising resistance attributed to increased cybersecurity measures and awareness. High-profile law enforcement initiatives, such as Operation Cronos, severely disrupted major ransomware operations, including the prolific LockBit group. Despite record ransom payments by some, median ransom amounts dropped, indicating successful negotiations for lower payments. Ransomware money laundering became more challenging due to law enforcement's tighter control over cryptocurrency services, shifting criminal tactics towards cross-chain bridges and personal wallets. A record $75 million ransom payment was made by a Fortune 50 company to the Dark Angels group, highlighting the severe threats still posed by ransomware groups.

Elon Musk's Department of Government Efficiency (DOGE) associate, Tom Krause, received "read-only" access to crucial federal payment systems handling trillions annually. The US Treasury response to congressional concerns emphasized that this access is part of an operational efficiency assessment. Senators Ron Wyden and Elizabeth Warren raised security concerns following reports that Musk's associates had broader access. Krause, CEO of Cloud Software Group, is collaborating with seasoned Treasury officials, adhering to established security and privacy protocols. His role classified as a "special government employee" is a common designation used across different government administrations. The access level granted to Krause is comparable to what external auditors receive when reviewing Treasury systems. Despite political and public concerns, the Treasury maintains that all standard procedures and safety measures are in place. Controversy continues as Musk and his affiliations with government projects come under increasing scrutiny from legislators.

CISA has mandated federal agencies to address a critical Linux kernel bug by February 26, following its active exploitation in cyberattacks. The flaw, identified as CVE-2024-53104, affects the USB Video Class (UVC) driver allowing unauthorized privilege escalation without extra privileges. Initially detected in Linux kernel version 2.6.26, the vulnerability involves an out-of-bounds write triggered by incorrect parsing of UVC_VS_UNDEFINED frames. Google has addressed this vulnerability in its latest Android security updates, highlighting the potential limited and targeted exploitation of this flaw. The exploit likely connects with forensic data extraction tools used in cyber espionage, underscoring the vulnerability's significance in security breaches. Other notable software vulnerabilities in Microsoft .NET Framework and Apache OFBiz were also flagged by CISA as actively exploited. CISA's actions align with the 2021 Binding Operational Directive requiring immediate patching of known exploited vulnerabilities to protect federal networks. Enhanced forensic visibility in network edge devices has been recommended by Five Eyes cybersecurity alliances to improve defense and breach investigations.

Hackers launched a phishing campaign by spoofing Microsoft Active Directory Federation Services (ADFS) login pages to steal user credentials. The primary targets identified include sectors like education, healthcare, and government, affecting at least 150 entities. The campaign's goal is to steal email account access and conduct financially motivated schemes, such as business email compromise (BEC). Attackers impersonated IT support in emails, directing victims to fraudulent ADFS login pages that mimic legitimate ones, capturing usernames, passwords, and multi-factor authentication (MFA) codes. The phishing templates were specifically designed to collect different forms of MFA details, including codes from apps like Microsoft Authenticator and Duo Security, or SMS. Post-theft, the attackers used the credentials to log in immediately, steal valuable data, and perform lateral phishing within the organization. The attackers utilized the Private Internet Access VPN to hide their location and mimic IPs closer to the targeted organizations to increase the attack's success rate. Recommendations for organizations include migrating to more secure systems such as Microsoft Entra and enhancing email and anomalous activity monitoring systems to detect and prevent such phishing attacks.

AMD has released updates to correct a high-severity vulnerability allowing the insertion of malicious CPU microcode due to a signature verification flaw in their ROM microcode patch loader. This vulnerability, identified as CVE-2024-56161, could compromise the integrity and confidentiality of systems under AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). Attackers with local admin access could exploit this flaw to disrupt confidential computing environments protected by the latest AMD Secure Encrypted Virtualization technology. Google Security Team, along with other researchers, discovered and demonstrated this flaw using a proof-of-concept exploit on AMD EPYC and Ryzen CPUs, illustrating how the breach could manipulate certain processor instructions. Affected platforms must undergo a microcode update and possibly a SEV firmware update to fully mitigate the risk and restore secure system operation. Proper installation of these updates can be verified through the system BIOS, ensuring the installed microcode version matches AMD's list of secure microcode. AMD has also responded to reports of new cache-based side-channel attacks affecting its SEV technology, advising developers on best practices to mitigate these vulnerabilities.

CISA has updated its Known Exploited Vulnerabilities catalog, adding four vulnerabilities affecting key software applications. Urgent updates are advised for government agencies and large organizations to patch flaws in Microsoft .NET Framework and Apache OFBiz. CVE-2024-29059 in .NET Framework involves a high severity information disclosure issue first flagged by CODE WHITE but only recently acknowledged by Microsoft. Apache OFBiz is affected by CVE-2024-45195, a critical remote code execution flaw discovered by Rapid7 and patched in the latest OFBiz release. Both vulnerabilities are actively being exploited, although specific details about the attackers and their targets remain undisclosed. The other two vulnerabilities, CVE-2018-9276 and CVE-2018-19410, relate to Paessler PRTG network monitoring software, fixed back in June 2018. CISA has set a compliance deadline by February 25, 2025, for the application of available patches or cessation of use of the affected products.

Netgear has issued patches for two critical vulnerabilities in their routers, urging users to update their firmware. The vulnerabilities, labeled with PSV IDs 2024-0117 and 2023-0039, include an authentication bypass and a remote code execution flaw, with CVSSv3 scores of 9.6 and 9.8 respectively. Affected models include the WAX206, WAX220 (both EOL), and WAX214v2, alongside the Nighthawk gaming range (XR100, XR1000v2, XR500). Simultaneously, national cybersecurity agencies from countries including the US, UK, Canada, Australia, and Japan advised on enhancing security for edge devices like routers and IoT devices. These global alerts followed a series of security concerns involving other major vendors like Ivanti and Fortinet, pointing to a widespread issue with unpatched vulnerabilities. Updated guidance focuses on increased logging and forensic capabilities, along with comprehensive mitigation strategies to defend against and manage intrusions. The efforts by national agencies emphasize creating a technology culture that integrates security deeply and allows for effective incident response and investigation.

Spanish authorities apprehended a hacker in Alicante suspected of launching 40 cyberattacks on key entities, including NATO and the US Army. The investigation began in early 2024 after a data leak was reported by a Madrid business association, which led to the identification of leaks on dark web forums. The hacker used multiple aliases to carry out attacks and sell stolen data on BreachForums, impacting major global and governmental organizations. Victims of these cyberattacks included the Guardia Civil, the Spanish Ministry of Defense, and various international universities. Stolen data, which included personal details of employees and internal documents, was either sold or freely published online. The raid on the hacker's home led to the seizure of computers, electronic devices, and 50 cryptocurrency accounts. Collaborative efforts from Europol, US Homeland Security Investigations, and Spain's National Cryptologic Center were crucial in tracing and capturing the suspect. The hacker faces multiple charges, including money laundering and illegal access to IT systems, with potential penalties of up to 20 years in prison.

The North Korea-linked Lazarus Group has initiated a new malware campaign using deceptive LinkedIn job offers to target individuals in the cryptocurrency and travel sectors. Targets are enticed with the promise of remote work opportunities, and through interaction, are induced to share their CV or GitHub repository link for illegitimate purposes. The attack progresses as the scammer, posing as a recruiter, provides a link to a seemingly project-related GitHub or Bitbucket repository, which includes a harmful MVP version of a decentralized exchange. An obfuscated script within the code retrieves a cross-platform JavaScript information stealer capable of harvesting details from cryptocurrency wallet extensions. This malware also acts as a loader for a Python-based backdoor that monitors clipboard content changes, maintains persistent access, and can deploy additional malicious payloads. The infection chain is complex, involving software in multiple programming languages and technologies, including .NET binaries that can start a TOR proxy to connect with a C2 server and initiate crypto miners. Bitdefender has reported evidence of widespread activity related to this campaign, with variations in attack methods observed across different instances reported on LinkedIn and Reddit. This campaign's revelation follows another discovery by SentinelOne involving similar tactics by Lazarus Group, highlighting the persistent and sophisticated threat posed by this nation state actor.