Daily Brief

VPNs provide secure remote network access, but compromised credentials pose significant risks to corporate Active Directory environments. Over 2.1 million VPN passwords were stolen last year, with many employees reusing these passwords for other services, including their Active Directory access. Hackers harvest VPN credentials through methods like malware, phishing, and fake VPN portals, then sell them on dark web markets for further exploitation. Attackers use stolen credentials to perform lateral movements within networks, escalate privileges, and eventually target domain controllers for full network control. Strengthening password policies to prevent using known compromised passwords and enforcing regular password changes are essential defenses. Implementing Multi-factor Authentication (MFA) for all VPN accesses significantly enhances security by requiring additional verification. Continuous monitoring of VPN access and regular security audits help detect and mitigate unauthorized access attempts or potential vulnerabilities. Regular security training for employees on the risks of password reuse and phishing can prevent credential theft and improve overall network security.

A 59-year-old man from Irvine, California, named Allen Giltman, was sentenced to 87 months in prison following his role in a massive investor fraud scheme. Giltman and his accomplices created over 150 fake investment websites mimicking legitimate financial institutions to advertise fraudulent investment opportunities, primarily in high-rate certificates of deposit. These scam websites were promoted through targeted ads on popular search engines like Google and Microsoft Bing, using phrases related to searching for the best investment rates. The fraudsters impersonated real broker-dealers registered with the Financial Industry Regulatory Authority (FINRA), misleading victims into thinking they were dealing with legitimate professionals. Victims were deceived into wiring funds to purchase certificates of deposit; however, they received nothing in return, with their money funneled into various international bank accounts. Tactics to maintain anonymity included using VPNs, encrypted communication apps, and prepaid cards for registering web domains. In addition to his prison term, Giltman faces 3 years of supervised release and is required to forfeit assets confiscated upon his arrest. Prior warnings about similar fraudulent activities were issued by the FBI and FINRA, alerting investors to the risks of such scams.

A 22-year-old Canadian, previously hailed as a math prodigy, has been criminally charged by U.S. federal prosecutors for exploiting vulnerabilities in crypto finance protocols, siphoning roughly $65 million. The accused manipulated smart contracts on KyberSwap and Indexed Finance, conducting deceptive trades and transfers to steal funds. He also attempted to extort victims following the KyberSwap breach in 2023 and laundered the stolen assets through blockchain "bridging." Despite his previous legal issues in Canada, where an arrest warrant remains active, his current whereabouts are unknown, and he is suspected to be in hiding in Europe or South America. His defense, hinged on the "code is law" ideology, asserts that exploiting software flaws does not constitute a breach of law—a view not widely accepted in legal circles. If convicted, he faces severe penalties, including up to 20 years in prison for the most serious charges of wire fraud and money laundering.

Russian threat actors exploited a zero-day vulnerability in 7-Zip to bypass Windows' Mark of the Web security feature. The exploitation allowed for the delivery of SmokeLoader malware without triggering security warnings. The attacks targeted Ukrainian government and private entities using phishing techniques and seemingly legitimate emails. The CVE-2025-0411 vulnerability involved creating an archive within an archive, where the inner archive did not inherit security flags. Trend Micro discovered the flaw and disclosed it to the 7-Zip developers, leading to a patch release in version 24.09. Organizations are urged to update 7-Zip to the latest version due to the absence of an auto-update feature to address this security risk. Enhanced vigilance and updated security protocols are recommended for users potentially targeted in similar nation-state attacks.

Cybersecurity experts uncovered a software supply chain attack within the Go programming ecosystem, using a malicious package. The package, named github.com/boltdb-go/bolt, is a typographical spoof of the legitimate BoltDB module, aimed at deceiving developers. Published on GitHub in November 2021 and subsequently cached by the Go Module Mirror service, the malicious package grants remote access to infected systems. The attacker used this caching feature to make the malicious module consistently available, even after altering the repository to appear benign. This method allows the execution of arbitrary commands on compromised systems, significantly raising concerns about the security of module caches. Although the immutable nature of cached modules can benefit legitimate use, it also provides a persistent distribution channel for malicious code. Security professionals are advised to be vigilant regarding cached module versions and their potential use in evading detection.

A security vulnerability in 7-Zip was exploited by Russian cybercriminals to deliver SmokeLoader malware. CVE-2025-0411 vulnerability allowed attackers to bypass Microsoft's mark-of-the-web (MotW) protections and execute malicious code. The flaw was effectively used in spear-phishing campaigns that mimicked file types to deceive users into extending execution privileges to harmful files. The exploited vulnerability targeted Ukrainian governmental and non-governmental organizations, reflecting a broader cyber espionage agenda amidst the Russo-Ukrainian conflict. Microsoft's MotW security feature, intended to block auto-execution of internet-downloaded files, was circumvented using double-archiving techniques. Investigations by Trend Micro disclosed that phishing emails were crafted to appear as if sent from compromised Ukrainian authority and business email accounts. Recommended security measures include updating 7-Zip to the latest version, employing robust email filtering, and disabling file execution from untrusted sources. Cyber threats were especially significant for smaller Ukrainian local government entities, which generally have fewer cybersecurity defenses.

North Korean hackers using a fake job recruitment drive on macOS systems to deploy malware known as FERRET. Attack vector involves posing as recruiters on LinkedIn, directing candidates to download malicious video conferencing software. Malicious software includes JavaScript-based BeaverTail for data harvesting, and Python backdoor InvisibleFerret. Additional malware types discovered like OtterCookie, FRIENDLYFERRET and FROSTYFERRET_UI targeting data and cryptocurrency wallets. The malware also includes components for persistence on infected systems, connecting to now unresponsive C2 servers. Diverse methods of propagation observed, including fake GitHub issues and npm packages like postcss-optimizer, mimicking legitimate software. NTT Security Holdings and cybersecurity firm Socket expose further malicious activities and persistence of threats across multiple systems.

Last year's cyberattack on Wirral hospitals continues to severely affect cancer treatment wait times, with delays expected to persist for months. The attack, initiated on November 25, 2024, disabled key clinical systems, forcing healthcare operations to revert to manual, paper-based methods. December data revealed a significant rise in the number of patients waiting longer than the 62-day treatment standard, with figures reaching record highs for the year. Operational teams at Wirral University Teaching Hospitals are striving to manage treatment backlogs and improve waiting times for elective procedures. Despite efforts to recover, the cyberattack's impacts are likely to continue affecting patient care through January and beyond, as mentioned by the COO and deputy CEO in a board update. Financially, the cyber incident contributed approximately £3 million to the trust’s forecasted £14.7 million deficit, with ongoing requests for additional funds to cover operational costs. The hospital's cybersecurity measures responded adequately to CareCERT alerts, but staffing shortages remain a challenge, especially in cyber and coding roles. No group has claimed responsibility for the attack, and details regarding the breach method through a shared digital service remain limited.

Researchers discovered that unused AWS S3 buckets, if reactivated, can be exploited to inject malicious software across the global software supply chain. Approx. 150 abandoned but still referenced S3 buckets were found capable of being hijacked, potentially surpassing the impact of the infamous SolarWinds breach. Upon re-registering these buckets, researchers observed over eight million requests for sensitive files from high-profile sources including NASA, military, and Fortune 500 companies. The exploit involves simply stocking these buckets with malicious updates or code, which unsuspecting systems then automatically download and execute. This vulnerability highlights broader issues of cybersecurity negligence in managing cloud infrastructure, where former assets can easily be turned into weapons. WatchTowr and AWS have worked together to mitigate the immediate threat by "sinkholing" the identified buckets, preventing their future malicious use. AWS assures that their infrastructure is functioning as expected, promoting best practices that include unique bucket naming and proper application configuration. The simplicity of exploiting such vulnerabilities emphasizes the urgent need for more robust security measures against abandoned digital infrastructure.

Cloud security in 2025 will focus on integrating proactive measures due to the sophistication of attacks targeting cloud environments, necessitating comprehensive security platforms. Security operations centers (SOC) will play a more central role in cloud security by 2025, with an emphasis on integrating cloud-specific threat detection for improved resilience. Data security becomes paramount in Cloud-Native Application Protection Platforms (CNAPPs) as generative AI adoption increases, stressing the importance of built-in data security features. Organizations are shifting application security budgets to unified platforms for enhanced threat detection and prevention capabilities, moving away from fragmented security tools. As AI-generated code gains prevalence, protecting intellectual property becomes critical, necessitating robust data auditing and compliance frameworks. Regulatory compliance for AI data handling will tighten, requiring advanced strategies and increased security measures to keep pace with new AI-driven vulnerabilities. The pursuit of innovation may lead to security compromises, highlighting the need for secure frameworks that allow rapid development without increasing risks. AI-powered malware poses an emerging threat, incorporating capabilities like automating phishing and enhancing social engineering tactics, which could outpace traditional security measures.

The UK government is urged by the National Audit Office (NAO) to make strategic use of technology to enhance economic productivity and public service delivery amidst financial constraints. Gareth Davies, head of the NAO, highlights the need for fundamental approaches in public service design and pointers for increased cyber resilience to cope with both current and future threats. The upcoming five-year spending review in June will heavily feature initiatives aimed at addressing productivity barriers that have been exacerbated by both the 2008 financial crisis and the COVID-19 pandemic. The adoption of artificial intelligence (AI) technologies such as the Humphrey AI toolset is recommended to improve efficiency in public services and to manage the growing demand. The approach to AI should focus on maximizing benefits while effectively managing associated risks to ensure equity and maintain public trust. Additional recommendations include systemic reforms, investment in skills development, and enhanced asset maintenance to support productive public service operations. The emphasis is also on better preparation and adaptable risk management systems to handle increasingly likely events such as pandemics, extreme weather conditions, or cyber threats. The NAO report also criticizes current governmental practices in tech procurement and urges learning from past project failures to reallocate resources to more successful initiatives.

Taiwan has officially banned all government agencies from utilizing DeepSeek's AI platform due to significant national security and data leakage risks. DeepSeek AI, a Chinese-owned service, poses information security concerns due to cross-border data transmission and its susceptibility to information leakage. Recently, Italy and other countries also restricted or scrutinized DeepSeek AI due to opaque data handling practices. The AI chatbot has been targeted by multiple DDoS attacks from global actors, including the United States, United Kingdom, and Australia. DeepSeek AI's popularity led to its exploitation via fake packages on the Python Package Index (PyPI) that were found to steal sensitive user and system data. The European Union's new Artificial Intelligence Act, effective from February 2025, mandates strict regulations on AI applications to mitigate security risks. The United Kingdom has introduced an AI Code of Practice to protect against hacking and sabotage of AI systems, highlighting global movements towards secure AI operations.

GrubHub disclosed a data breach affecting customers, merchants, and drivers, originating from a compromised third-party service provider account. The breach exposed names, email addresses, phone numbers, and partial payment card details of certain individuals. GrubHub terminated the compromised service provider's account, enhanced security, and hired forensic experts to investigate the breach. No evidence was found that sensitive data such as Social Security numbers or full payment card details were accessed. Following the breach, GrubHub implemented additional security measures including password rotations and anomaly detection mechanisms. Affected data included hashed passwords of certain legacy systems; GrubHub has since rotated potentially impacted passwords. The company urged all users to employ unique passwords across platforms to reduce security risks. GrubHub supports over 375,000 merchants and 200,000 delivery partners across more than 4,000 cities.

A critical vulnerability has been identified in AMD’s Secure Encrypted Virtualization (SEV) technology. CVE-2024-56161 allows attackers with admin rights to inject malicious CPU microcode, leading to potential data breaches. AMD attributes the flaw to improper signature verification during the CPU microcode patch process. The flaw was discovered by Google researchers and disclosed on September 25, 2024, with a CVSS score of 7.2 indicating high severity. SEV's Secure Nested Paging (SNP) feature, which enhances memory integrity, is specifically affected. Google highlighted the vulnerability's link to an insecure hash function used in microcode update signature checks. A test payload was released by Google to demonstrate the vulnerability; however, further technical details will be delayed to allow time for patch distribution.

Google issued February Android updates, patching a severe kernel-level vulnerability (CVE-2024-53104) potentially exploited in targeted attacks. The Linux kernel flaw addressed involves the USB video-class driver, which could be exploited via malicious USB devices to gain device control. Another critical flaw, CVE-2024-45569, found in Qualcomm's wireless LAN stack allows for privileged remote code execution. Google's latest patch release includes 46 updates; however, most other vulnerabilities are rated with "high" severity. Specifically, MediaTek devices, Imagination Technologies' GPUs, and additional Qualcomm components received critical updates. Netgear has also released critical patches for its Nighthawk routers and Wi-Fi 6 access points, addressing unauthenticated remote code execution and authentication bypass flaws. Users of Google's Pixel devices receive priority in downloading these updates, with other manufacturers lagging in release schedules. Both companies emphasize the importance of immediate patch application to prevent potential exploits and ensure user security.