Daily Brief

Microsoft recently patched critical-rated security flaws in Azure AI Face Service and Microsoft Account. An authentication bypass by spoofing vulnerability in Azure AI, identified as CVE-2025-21415, could allow privileged escalation. Another vulnerability, CVE-2025-21396, involves missing authorization and could also enable unauthorized privilege escalation. Both vulnerabilities were critically rated with a CVSS score of 9.9 and are now fully mitigated without requiring any customer action. A proof-of-concept exploit was known for CVE-2025-21415, highlighting potential risk prior to the fix. Microsoft credited an anonymous researcher and a security researcher known as Sugobet for discovering the flaws. The company emphasized its commitment to transparency and the importance of sharing information on resolved vulnerabilities to strengthen cybersecurity resilience. These patches are part of Microsoft's ongoing initiative to address and disclose vulnerabilities in cloud services, enhancing overall security infrastructure.

Google has issued patches for 47 vulnerabilities in Android’s OS, highlighting an actively exploited flaw in the kernel. The specific actively exploited vulnerability is tracked as CVE-2024-53104, with a CVSS score of 7.8, affecting the USB Video Class (UVC) driver. CVE-2024-53104 allows for privilege escalation through an out-of-bounds write error in the Linux kernel, existing since version 2.6.26. Successful exploitation could lead to significant issues like memory corruption, program crash, or arbitrary execution of code. Another critical patched flaw, CVE-2024-45569 in Qualcomm’s WLAN, scored a CVSS 9.8, poses a substantial risk of memory corruption. Google released two patch levels, 2025-02-01 and 2025-02-05, aiding Android partners in quickly deploying fixes for these issues. Android partners are urged to incorporate fixes for all the vulnerabilities listed in the latest security bulletin to enhance device security.

Cybersecurity experts uncovered a severe vulnerability in the Microsoft SharePoint connector used within the Power Platform that could enable credential theft and unauthorized data access. The flaw, identified as server-side request forgery (SSRF), arises from the SharePoint connector allowing the insertion of custom URLs, potentially enabling attackers to impersonate users. Exploitation requires the attacker to possess specific user roles within Power Platform, namely Environment Maker and Basic User, indicating a need for initial access to the target's environment. Microsoft addressed the vulnerability in December after a responsible disclosure in September, emphasizing the importance of timely and effective patch management. The vulnerability affects multiple components of the Power Platform, including Power Automate, Power Apps, Copilot Studio, and Copilot 365, posing a risk to a wide range of corporate data and processes. The potential attack could extend beyond SharePoint, leveraging other Power Platform services to broaden the scope and increase the severity of the incident. The exposure underscores the critical nature of interconnected service architectures and the need for comprehensive security measures across all enterprise environments.

Digital resilience in banks extends beyond operational continuity; it includes the ability to anticipate, withstand, recover from, and adapt to cyberattacks and other digital disruptions. The financial sector's reliance on vast data repositories and critical payment systems makes it a prime target for cyber incidents, underscoring the need for robust security and recovery strategies. Implementing a proactive strategy that surpasses the traditional "prevent, detect, and respond" approach is crucial, emphasizing the importance of quick recovery to maintain operations and customer trust. Banks are advised to deploy structured resilience approaches like tiered application frameworks, edge deployments, and redundancies to mitigate risks and ensure service continuity during disruptions. Aligning with industry standards such as NIST and ISO 27001, along with utilizing advanced tools like F5's security and analytics solutions, strengthens a bank’s defensive posture. Regular disaster recovery testing, real-time monitoring, and fostering collaboration across IT and business units are essential practices that enhance digital resilience. Building digital resilience is an ongoing journey requiring continual adaptation to evolving threats, reinforced by partnerships with trusted vendors and a comprehensive resilience strategy at all organizational levels.

The Department of Homeland Security's Inspector General is auditing the TSA's facial recognition technology following concerns from US Senators. The audit aims to assess how TSA’s technology enhances security and protects passenger privacy in airport screenings. Senator Jeff Merkley highlighted concerns about transforming the US into a "national surveillance state" without proper opt-out provisions. TSA has deployed facial recognition technology in a pilot program across 25 airports and plans to extend it to 430 airports. Critics, including Merkley, have raised issues with privacy and the efficacy of the technology, leading to legislative attempts to restrict its use. Despite lacking detail on the audit scope, issues like error rates, reduction in screening delays, and overall effectiveness will be reviewed. TSA has cited a high accuracy rate for the technology, but the practical implications mean thousands of travelers could still be misidentified daily.

Amazon has introduced significant security updates for its Redshift data warehousing service to address vulnerabilities from misconfigurations and insecure default settings. The updates include three new security defaults aimed at bolstering data protection in newly created provisioned clusters, serverless workgroups, and restored clusters. New clusters will now deny public access by default, requiring users to explicitly enable such access through secure methods if necessary. Encryption of data will be enforced by default using an AWS-owned Key Management Service (KMS) key, ensuring protection even during unauthorized access scenarios. SSL (TLS) connections will be mandatory for all new and restored clusters to protect data from interception and man-in-the-middle attacks. These measures respond to past incidents, such as the October 2022 Medibank ransomware incident, involving unauthorized access to the Redshift platform which led to a significant data breach. Existing Redshift users are encouraged to revise their settings to align with the new defaults to avoid potential disruptions and improve security.

Google's January 2025 Android updates addressed 48 vulnerabilities, including an actively exploited zero-day kernel flaw. This zero-day, identified as CVE-2024-53104, is a critical privilege escalation issue in the Android kernel’s USB Video Class driver. The vulnerability allows attackers with local access to execute arbitrary code or cause denial-of-service through improper frame parsing and out-of-bounds writes. Another critical flaw, CVE-2024-45569 in Qualcomm’s WLAN component, was patched, enabling remote arbitrary code execution via firmware memory corruption. The Android updates were released in two batches, with comprehensive fixes in the latter patch aimed at diverse Android hardware configurations. Google Pixel users receive immediate updates, while other device manufacturers may delay updating due to testing and compatibility adjustments. Past exploits, including those by government entities using the NoviSpy spyware, highlight the ongoing challenge of securing mobile devices against targeted attacks.

A Canadian man is accused by the U.S. Justice Department of stealing approximately $65 million through vulnerabilities in decentralized finance (DeFI) protocols. The individual exploited automated smart contracts on the Ethereum network, affecting KyberSwap and Indexed Finance platforms. He allegedly drained $48.4 million from KyberSwap liquidity pools and $16.5 million from Indexed Finance pools using deceptive trades. Post-exploitation, he attempted extortion by offering a fake settlement in exchange for protocol control. Charged with multiple offenses including wire fraud, computer damage, extortion, and money laundering conspiracy. Accusations include laundering money using crypto mixers and false IDs to obscure the transaction origins. If convicted, the charges carry penalties of up to 20 years in prison for most counts.

Casio UK's e-commerce site was hacked between January 14 and January 24, 2025, exposing customer credit card information. The breach involved malicious scripts that intercepted customer data during the checkout process on casio.co.uk. Security firm JSCrambler identified the breach and alerted Casio, who then removed the malicious scripts within 24 hours. The attack exploited vulnerabilities in the Magento platform and affected 17 other websites, which remain unnamed as investigations continue. The operation involved a two-stage skimming process, with scripts hosted by a Russian server, designed to collect extensive personal and financial details from customers. Despite having a Content Security Policy (CSP), Casio’s measures were insufficiently strict, allowing the attack to proceed without triggering security violations. This incident is part of a troubling pattern for Casio, following previous data breaches and ransomware attacks affecting various company departments.

Threat actors leveraged the popularity of DeepSeek AI to distribute infostealer malware via Python Package Index (PyPI). Fake packages named "deepseeek" and "deepseekai" mimicked developer tools, deceiving users into downloading them. Malicious code within these packages was designed to steal user and system information, including API keys and database credentials. The stolen data was sent to a command and control server, potentially compromising cloud services and databases accessed by developers. Positive Technologies identified and reported the rogue packages to PyPI, which took swift action to quarantine and delete them. Despite rapid response, 222 developers had already downloaded the packages, primarily from the U.S., requiring urgent security measures like rotation of keys and passwords. Impacted developers are advised to audit accessed cloud services and infrastructure to ensure no further unauthorized access.

In 2024, 768 CVEs were reported as exploited, representing a 20% increase from 2023. About 23.6% of these vulnerabilities were weaponized at or before public disclosure, slightly down from 26.8% in 2023. VulnCheck highlights the proactive effort of attackers in exploiting vulnerabilities at any stage of their lifecycle. The 2023 data indicated significant exploitation linked to Chinese hacking groups, involving top routinely exploited vulnerabilities. The Log4j vulnerability remains the most targeted, with 31 threat actors associated with its misuse. Vulnerable systems on the internet, estimated at around 400,000, are at risk from attacks on vulnerabilities in widely-used products from companies like Microsoft, Cisco, and others. Recommended actions for organizations include increasing visibility into threats, improving patch management, and minimizing internet exposure of critical systems.

PyPI has introduced a new feature enabling developers to archive Python packages, signaling no future updates or security fixes. Archived projects will still be accessible on PyPI for installation, but will be clearly marked as no longer maintained. This move aims to enhance supply chain security by informing users about the status of the packages they are using. PyPI recommends releasing a final version of a package prior to archival, including a warning in the project description and suggesting alternative packages. Additionally, PyPI has implemented a quarantine mechanism to prevent the installation of potentially malicious packages and allow time for further investigation. In November 2024, the library "aiocpa" was quarantined due to malicious code aimed at stealing private keys via Telegram; approximately 140 projects have been quarantined since the feature's implementation. Quarantine status offers a balance by protecting users while allowing potential restoration of falsely flagged projects, preserving their history and data.

DeepSeek, a popular AI platform from China, has faced intense scrutiny due to its susceptibility to manipulations that allow the generation of malicious content. Concerns over the AI's security prompted temporary user registration halts and led to its ban on government devices in Italy and by Texas Governor Greg Abbott. Continuous updates and awareness encouraged for commonly used software, listing CVEs to highlight critical security flaws needing attention. Windows has been touted for its in-built ransomware protection feature, which allows users to safeguard important data from untrusted applications. Cybersecurity practices, such as regular updates of software and stronger passwords, likened to enhancing locks on a door to ensure digital safety. Regular reviews and updates of cybersecurity measures are advised to maintain a secure online and digital presence. Simple actions like activating Windows' Controlled Folder Access are recommended as easy, yet effective, ways of enhancing digital security.

The Police Service of Northern Ireland (PSNI) experienced a significant data breach in 2023, exposing personal data of 9,483 officers and staff. The breach occurred due to an error in handling a Freedom of Information request, making the sensitive information accessible online for two hours. In response to safety concerns, the PSNI offered £500 to each affected employee for personal security measures, with about 90% accepting the compensation. Following concerns about fraudulent activities related to these payments, the PSNI's Anti-Corruption Unit arrested and bailed two officers on charges of fraud. Additional misconduct investigations are underway to maintain public confidence and uphold the highest standards of integrity within the force. The PSNI has been actively working to support the mental and physical safety of its staff, though some officers felt compelled to take extreme measures such as relocating. Legal representation and potential compensation claims are being considered by Edwards Solicitors for the majority of affected PSNI staff.

Coyote banking malware primarily targets Brazilian users of Windows, impacting 1,030 sites and 73 financial institutions. The malware facilitates a range of malicious operations such as keylogging, screenshot captures, and phishing overlays to steal sensitive data. Attack vectors detailed: initial use of Windows Shortcut files carrying PowerShell commands to deliver and execute the malware payload, using the Donut tool for decryption. Coyote malware collects and transmits system information and antivirus details from compromised machines, employing measures to evade detection by sandboxes and antiviruses. Latest modifications to the malware have expanded its capability to target a broader range of websites and financial platforms, deploying mechanisms to track and manipulate user access. Fortinet FortiGuard Labs highlighted the complexity and evolving nature of Coyote with increasing threats to financial cybersecurity in South America. Ongoing developments in Coyote’s methodology indicate a sophisticated and adaptive approach to maximizing data exfiltration and system compromise.