Daily Brief

Over three-quarters of UK employers use surveillance technology to monitor remote workers' productivity according to a recent survey. Surveillance methods include website and app tracking, real-time screen monitoring, and keystroke tracking, with 54% monitoring work hours most frequently. Research by ExpressVPN highlights issues such as lack of transparency, potential legality concerns, and significant impact on employee well-being and trust. Guidelines from the Information Commissioner's Office emphasize the need for clear communication about monitoring practices, but compliance isn't mandatory. The pressure of being monitored has led to heightened workplace stress and anxiety, with 46% of employees expressing concerns over management access to performance data. Many employees are willing to make major concessions to avoid surveillance, including quitting their jobs or accepting lower salaries. Approximately 70% of managers believe monitoring boosts trust and productivity, although this may contribute to a toxic work environment. Ahead of adopting digital surveillance practices, legal and ethical considerations should prioritize employee privacy and well-being to avoid misuse of data and erosion of trust.

DeepSeek AI, a rapidly growing Chinese startup, inadvertently left a database unprotected, risking unauthorized access to sensitive data. The exposed ClickHouse database contained over a million lines of log streams, including chat histories, secret keys, API secrets, and operational metadata. Wiz security researchers, upon discovering the breach, highlighted the vulnerability which allowed for complete database control with potential for privilege escalation. There were no immediate confirmations whether other malicious actors were able to exploit the security gap before it was secured by DeepSeek. The exposure of critical data underscores ongoing challenges in AI security, emphasizing fundamental risks over futuristic threats. DeepSeek's AI services have gained immense popularity, prompting concerns about data security amidst international scrutiny regarding privacy policies and national security. Recent controversies also involve queries from Italy's data protection regulator and investigations by OpenAI and Microsoft into potential misuse of proprietary technologies.

Three critical security flaws have been identified in the PHP package Voyager that enable one-click remote code execution. Attackers can upload malicious files that bypass MIME type checks, appearing as harmless media but executing as PHP scripts. A specific vulnerability, CVE-2024-55416, when combined with these flaws, can lead to severe security breaches through victim interactions with malicious links. The vulnerability allows attackers to execute arbitrary JavaScript code under the guise of an authenticated user, compromising server integrity. Another disclosed vulnerability, CVE-2024-55415, enables attackers to delete or manipulate files on the server. These vulnerabilities were responsibly disclosed on September 11, 2024, but remain unpatched, posing a continuous threat to users. Users are advised to be vigilant and cautious when integrating and using Voyager in their applications due to the risk of exploitation.

Aquabot, a Mirai botnet derivative, exploits the CVE-2024-41710 vulnerability in Mitel phones to launch DDoS attacks. Affected devices include Mitel 6800, 6900, and 6970 series, with a security patch issued by Mitel in mid-July 2024. The botnet also targets other known vulnerabilities across different devices to expand its attack network. The latest Aquabot variant includes advanced features like a "report_kill" function for improved stealth and efficiency. Active exploitation involving this botnet was detected by Akamai researchers starting January 2025, using methods similar to publicly available exploits. Evidence suggests that the compromised botnet network is being marketed as a DDoS service on Telegram under various aliases. The ongoing prevalence of Mirai-based attacks underscores the significant security risks posed by poorly secured internet-connected devices.

Wacom has announced that their online store was compromised, potentially leading to the theft of customer credit card information between November 2024 and January 2025. The breach was discovered in Wacom's e-commerce system which utilizes Magento, possibly exploiting a high-severity vulnerability known as CosmicSting. Wacom has contacted affected customers via email, advising them to monitor their accounts for suspicious activity. The security breach was allegedly caused by a payment page skimmer that intercepted and extracted payment data in real-time during transactions. The CosmicSting vulnerability, identified as CVE-2024-34102, was utilized to target over 4,000 online merchants previously, with its severity rated at 9.8/10. Wacom has resolved the immediate security issues and continues its investigation, pledging to update customers as more details become available. There is no specific disclosure on the number of customers affected or details on the perpetrators as investigations are ongoing.

Aquabotv3, a new variant of Mirai-based malware, targets a command injection flaw in Mitel SIP phones, specifically exploiting CVE-2024-41710. Akamai's Security Intelligence and Response Team (SIRT) detected the exploit through global honeypots, noting the malware uses a proof-of-concept published by a security researcher. The malware requires initial authentication, likely achieved through brute-forcing, to inject malicious commands during the device boot process, altering configuration files for remote control. Once installed, Aquabotv3 establishes persistence and connects to a command-and-control server to receive further orders and updates. It attempts to propagate itself across various IoT devices and networks by exploiting other known vulnerabilities and brute-forcing weak credentials. The primary function of the botnet is to amass a network for distributed denial of service (DDoS) attacks; the service is even advertised on platforms like Telegram. Mitel has issued patches for the vulnerability, and Akamai has provided necessary indicators of compromise and detection tools to help mitigate this threat.

DeepSeek, a China-based AI company, failed to secure its database, leading to public exposure of sensitive data, including chat logs and API keys. Wiz, a New York-based security firm, discovered the unsecured DeepSeek database accessible via the internet without any form of authentication. The exposed ClickHouse database contained chat history, API secrets, backend data, and operational details, potentially allowing full database control and privilege escalation. Security researchers were able to run SQL queries through an open HTTP interface, revealing tables filled with sensitive information. The incident highlights risks in rapid AI adoption without adequate security measures, underlining the importance of protecting customer data. Wiz reported that DeepSeek fixed the security issue upon notification, though the company has yet to issue a formal response. DeepSeek’s privacy policy states it stores usage data on servers in China, raising additional concerns in Europe where its apps have faced scrutiny.

Hackers infiltrated the DogWifTools software on Windows, aimed at promoting meme coins on the Solana blockchain, resulting in significant wallet theft. A supply-chain attack allowed threat actors to extract a GitHub token by reverse engineering the software, gaining access to the project's private GitHub repository. Versions 1.6.3 to 1.6.6 of DogWifTools were trojanized after new updates by the developers, incorporating a Remote Access Trojan (RAT) to steal cryptocurrency wallet keys. The malware, hidden in an "updater.exe" file, specifically targeted and drained users' hot and cold wallets and compromised their cryptocurrency exchange accounts. Accusations of "rug pulling" surfaced on social media, though no direct evidence implicates DogWifTools; the tool's design, however, potentially aids memecoin scams. The platform is taking steps to enhance security and is working with blockchain investigators to identify and counteract the attacker. Losses are estimated at over $10 million, though precise figures are contested by the alleged hacker; no user data outside of locally stored wallet files was claimed to be stolen.

North Korean threat actor, Lazarus Group, utilized a web-based admin platform to control its command-and-control (C2) operations globally. The admin panel, constructed using React and Node.js, allows centralized control over stolen data, compromised hosts, and payload delivery throughout their campaigns. Identified in a supply chain attack named Operation Phantom Circuit, the group targeted the cryptocurrency sector, implanting backdoors in legitimate software applications. Between September 2024 and January 2025, the operation compromised 233 victims globally, with the highest impacts seen in Brazil, France, and India. In January 2025 alone, 110 unique victims were targeted in India, showcasing the campaign's focus and intensity during this period. The group used LinkedIn as a vector for initial infections, presenting fake job opportunities to infiltrate networks and deploy malicious payloads. Security analysis traced the exfiltrated data back to Pyongyang, utilizing a complex network of VPNs and proxies, including Astrill VPN and Oculus Proxy. The campaign's infrastructure significantly relied on obfuscation techniques to evade detection while managing exfiltration and victim oversight effectively.

North Korea's Lazarus Group executed a sophisticated supply chain attack, compromising global victims, particularly in the cryptocurrency sector. Termed "Phantom Circuit," the operation involved backdoored versions of legitimate software and open-source tools, designed to ensnare developers and compromise their systems. The campaign unfolded in waves, targeting hundreds of developers across Europe, India, and Brazil from November to January, stealing sensitive data such as credentials and passwords. Malware was embedded into cloned repositories of popular coding platforms and tools, which once downloaded, installed backdoors allowing data theft and remote control. SecurityScorecard researchers discovered the campaign and revealed that the malware communicated with command-and-control servers active since September 2024. The control servers managed victim data and malware delivery through a central administrative platform, utilizing advanced obfuscation techniques to hide their origins. North Korean IP addresses were identified in connection to these attacks, linking them directly to Lazarus Group's operations. The operation showcased a shift in Lazarus Group's tactics, focusing on long-term access and widespread impact with harder-to-detect methods.

The FBI conducted a significant crackdown named "Operation Talent," targeting the notorious hacking forums such as Cracked.io and Nulled.to. International law enforcement from the US, Italy, Spain, Europe, France, Greece, Australia, and Romania collaborated in the seizure. Seizure banners were displayed on multiple domains, indicating the capture by international law enforcement and the confiscation of related customer and victim information. The seized forums were known for facilitating cybercrimes, including password theft, credential stuffing, and distributing hacking tools and software cracks. Users attempting to access these sites encountered DNS errors, with domain name servers being switched to FBI-controlled servers. Cracked.io responded to the seizure by initially attributing the downtime to a data center problem, later confirmed as part of the FBI's operation. The operation highlights a focused effort by global authorities to tackle platforms involved in large-scale credential theft and cybercriminal activities.

Vulnerabilities in the Voyager admin package for Laravel could lead to remote code execution. Three specific flaws were identified, remaining unpatched and exploitable via a single malicious link clicked by an authenticated user. SonarSource researchers discovered these vulnerabilities and unsuccessfully attempted to contact the Voyager team over a 90-day period. The unaddressed issues were initially identified through routine scans by the SonarQube Cloud team. Potential attackers can leverage these vulnerabilities to execute malicious code on systems running vulnerable Voyager instances. Voyager is extensively used by developers and small to medium-sized businesses for managing Laravel applications, amplifying the impact of these vulnerabilities. Recommendations include limiting access, enhancing server-level security precautions, and considering alternative admin panels until patches are available.

The FBI has officially seized the domains of two well-known hacking forums, Cracked.io and Nulled.to, due to their involvement in cybercrime activities. These forums were key platforms for discussions on password theft, cracking techniques, and credential stuffing attacks. The content on these sites included software cracks, hacking tools, and marketplaces for stolen credentials or databases. After the seizure, visitors to these sites encounter DNS error messages indicating their inaccessibility. The forums' domain name servers were changed to FBI-controlled name servers, signaling a definite takeover by law enforcement. An announcement from Cracked.io’s staff citing a data center issue was made on their Telegram channel, hinting at technical difficulties in connection with the seizure. No official comment from the FBI has been made available yet regarding the specifics of the crackdown or the future actions to be taken against other similar platforms.

Interlock Ransomware has significantly impacted the healthcare sector, affecting numerous U.S. organizations. Utilizes drive-by compromise tactics initiated through deceptive phishing sites that mimic legitimate services. Employs double-extortion by encrypting data and threatening to leak sensitive information if ransoms aren't paid. Attack vectors include downloading fake software updates that install malware, enabling control over networks. Attackers steal credentials to access and move laterally within the network, further compromising security. Data exfiltration is performed using cloud services, moving stolen data out of network bounds. Healthcare organizations are encouraged to adopt proactive security measures, including using tools like ANY.RUN Sandbox for early threat detection and analysis.

A team of researchers from Georgia Institute of Technology and Ruhr University Bochum has uncovered new speculative execution exploits in Apple's silicon, named SLAP and FLOP. These attacks exploit side-channels to leak sensitive data from applications such as Safari and Google Chrome. The SLAP attack affects Apple's M2, A15, and newer processors, leveraging inaccuracies in Load Address Prediction (LAP) to execute arbitrary computations. The FLOP attack targets M3, M4, and A17 chips, exploiting Load Value Predictor (LVP) mechanisms to bypass critical memory safety checks, potentially leaking user data such as location history and credit card information. Both types of attacks could enable adversaries to recover sensitive information such as email content and browsing behaviors. Apple was notified about SLAP and FLOP in May and September of 2024, allowing time for assessing and potentially mitigating these vulnerabilities. This disclosure follows another report about the SysBumps and TagBleed exploits, suggesting ongoing vulnerabilities related to speculative execution and side-channel attacks in modern processors. Researchers indicate that despite these chips deploying performance optimization techniques, malicious actors can manipulate these to access protected data.