Daily Brief

Hackers have created nearly 1,000 fake web pages mimicking Reddit and WeTransfer to distribute Lumma Stealer malware. These fraudulent sites feature counterfeit discussions and download links to trick users into downloading malware. Unsuspecting individuals are directed to these fake websites where the 'Download' button installs the Lumma Stealer. The URLs of these deceptive pages often combine a recognizable brand name with random characters to appear credible. Sekoia researcher crep1x identified 529 pages impersonating Reddit and 407 for WeTransfer, detailing the extensive nature of the campaign. Lumma Stealer, a potent infostealer, can capture passwords and session tokens, posing severe security risks. The malware's distribution methods include malvertising, malicious websites, and direct messages on social media. The stolen data is commonly sold on hacker forums, highlighting the critical threat to personal and organizational security.

QNAP has addressed six critical vulnerabilities in its HBS 3 Hybrid Backup Sync app, enhancing security for NAS devices. Rsync, the affected tool, is essential for file synchronization and is utilized in various backup, cloud, and server management services. The vulnerabilities could potentially allow attackers to execute remote code on unpatched systems through a series of exploitation chains. Identified flaws include heap buffer overflow, information leaks, server file leakage, path traversal, safe-link bypass, and a symbolic link race condition. QNAP urgently recommends updating the HBS 3 app to version 25.1.4.952 to protect against these security risks. The vulnerabilities expose over 700,000 IP addresses with rsync servers, though the exact number vulnerable to these exploits remains uncertain. Ensuring software updates and limiting anonymous access are crucial steps in safeguarding against such vulnerabilities.

Google has introduced a new security feature called "Identity Check" for Android devices enhancing protections against theft. The feature restricts access to sensitive settings through biometric authentication when outside trusted locations. Identity Check applies to actions such as factory resets, modifying screen locks, and managing Google accounts. Initially available on Google Pixel running Android 15 and Samsung Galaxy with One UI 7. Enhanced protection includes partnerships with GSMA to further develop anti-theft systems, details to be provided later. The Theft Detection Lock feature previously exclusive to Google Pixel is now expanding to all Android 10+ devices. Users can activate both Identity Check and Theft Detection Lock via their device's Google account settings under Theft Protection.

CISA and the FBI have issued a warning that attackers are exploiting previously patched vulnerabilities in Ivanti Cloud Service Appliances to infiltrate networks. The exploited vulnerabilities include CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380, all of which were addressed between September and October. These vulnerabilities have facilitated administrative authentication bypass, remote code execution, and SQL injection, enabling attackers to execute code remotely, capture credentials, and implant webshells. Attackers have demonstrated the ability to chain these vulnerabilities together for more effective exploitation, and in at least one case, moved laterally across the network to additional servers. Federal agencies are urged to upgrade their Ivanti appliances to the most current versions and to actively search for signs of malicious activity based on provided indicators of compromise. Ivanti has been targeted more frequently since early 2025 with sophisticated attacks including the deployment of new Dryhook and Phasejam malware types through zero-day attacks. Ivanti serves over 40,000 global companies, highlighting the broad potential impact of these security vulnerabilities.

SonicWall has identified a critical vulnerability in its SMA 1000 product line, potentially already exploited as a zero-day. The vulnerability, designated CVE-2025-23006, allows remote, unauthenticated attackers to execute arbitrary OS commands under specific conditions. The SMA 1000 series affected includes Appliance Management Console (AMC) and Central Management Console (CMC), critical for administrative tasks. SonicWall released a hotfix (version 12.4.3-02854) to resolve the issue, and older versions are considered vulnerable. No specific details about the vulnerable conditions were disclosed to prevent further exploitation risks. A workaround recommended by SonicWall involves restricting AMC and CMC access to trusted sources. The affected SMA 1000 series is predominantly used by major enterprises and government agencies for secure remote access. The Microsoft Threat Intelligence Center discovered the vulnerability.

SonicWall has identified a critical zero-day exploit, CVE-2025-23006, in the SMA1000 appliance series. This exploit, with a CVSS v3 score of 9.8, allows unauthenticated remote attackers to execute arbitrary OS commands. The vulnerability affects all firmware versions up to 12.4.3-02804 and users are urged to install the hotfix release version 12.4.3-02854. The flaw was initially discovered by Microsoft's Threat Intelligence Center but is not present in the SMA 100 series products. Germany's CERT-Bund has also issued a warning urging immediate update implementation. A researcher highlighted that currently, 2,380 SMA1000 devices are exposed online, increasing the risk of exploitation. In related news, SonicWall recently addressed a separate authentication bypass flaw in their firewall appliances. Critical service providers, government, and large organizations commonly use SMA1000 devices, highlighting the importance of this security update.

The European Consumer Organisation (BEUC) has contacted EU enforcement authorities regarding Meta's pay-or-consent model, alleging possible legal infringements. BEUC criticizes the model for potentially confusing consumers with its interface design and degrading service quality for those not consenting to personal data usage. Meta updated its model in November 2024 by lowering the no-ads subscription price by 40% and offering options for fewer personalized ads without consent. Despite these changes, BEUC believes Meta's adjustments are superficial and do not sufficiently address their fundamental concerns with the policy. BEUC urges quick investigation and action from consumer, data protection authorities and the European Commission to safeguard consumer interests. Meta disputes BEUC's claims, stating that their policy changes exceed the requirements of EU law, suggesting a significant disagreement on compliance and consumer fairness.

Tesla's Wall Connector electric vehicle charger was hacked twice during the second day of Pwn2Own Automotive 2025 contest held in Tokyo. The event saw security researchers exploiting 23 zero-day vulnerabilities in various EV chargers and in-vehicle infotainment systems from multiple brands. The team PHP Hooligans first hacked Tesla’s charger using a specific zero-day bug, followed by the Synacktiv team who introduced a new hacking method. A total of $335,500 in cash rewards was distributed for the discovered vulnerabilities on the second day of the event, highlighting the significant finds by the researchers. The competition enforced strict rules where all targeted devices were required to run the latest software versions and be fully updated. After the competition, manufacturers have a 90-day window to address the security issues before the vulnerabilities are publicly disclosed. The contest is part of a larger focus on automotive technology security and included targeting of EV chargers, car operating systems, and infotainment systems over several days.

'J-magic' malware specifically targets Juniper edge devices used primarily as VPN gateways for critical sectors including semiconductor, energy, and manufacturing. The malware, noticed actively from mid-2023 to at least mid-2024, operates by detecting specific network "magic packets" to initiate a challenge-protected reverse shell. Black Lotus Labs identified J-magic as a variant of the cd00r backdoor, which silently listens to TCP traffic until activated by specific packet characteristics. The malware implements an eBPF filter to scrutinize traffic and uses RSA encryption to safeguard against unauthorized access from third-party threat actors. Significantly, half of the observed infected devices served as VPN gateways, showing the malware’s focus on nodes critical to organizational infrastructure. Though similarities were found with the SeaSpy malware, researchers report low confidence in linking J-magic and SeaSpy directly. Highlighted the growing trend of using sophisticated malware to target enterprise-grade routers to maintain persistent, undetected access.

Eclypsium's investigation reveals critical vulnerabilities in Palo Alto Networks firewall models PA-3260, PA-1410, and PA-415. The vulnerabilities, termed PANdora's Box, could allow attackers to bypass Secure Boot and alter firmware, compromising device integrity. Flaws identified are not obscure but are well-known, raising concerns about the security measures of enterprise-level devices. One model, the PA-3260, was discontinued on August 31, 2023, but the other two models are still actively supported. The report emphasizes the necessity for organizations to adopt comprehensive strategies for supply chain security. Recommendations include rigorous vendor assessments, regular firmware updates, and continuous monitoring of device integrity. The findings highlight the importance of addressing vulnerabilities in devices intended to protect against cyber threats to ensure network and data security.

Cybersecurity researchers have identified a malware campaign using fake CAPTCHA verifications to deploy Lumma Stealer across multiple countries including Argentina, Colombia, the U.S., and the Philippines. The campaign targets various industries, with the highest incidence in telecom, followed by healthcare, banking, and marketing sectors. Attackers initiate the chain by directing victims to compromised websites that lead to fraudulent CAPTCHA pages instructing visitors to execute commands that bypass browser defenses. The malicious CAPTCHA pages encourage victims to download and execute an HTA file using the mshta.exe binary, which subsequently launches a PowerShell script containing the Lumma Stealer. These attacks are designed to evade detection by disabling the Windows Antimalware Scan Interface (AMSI) and leveraging user interaction within the system. The malware is part of a malware-as-a-service (MaaS) model, and its distribution is aided by about 1,000 counterfeit domains impersonating popular sites like Reddit and WeTransfer. Recent developments also detail an enhanced Phishing-as-a-Service (PhaaS) toolkit that includes advanced tactics to obstruct security tool detection and analysis.

Thousands of email addresses and FortiGate configurations have been leaked online following a zero-day exploit in 2022. Researchers Kevin Beaumont and Florian Roth have uploaded and categorized the leaked data to aid organizations in identifying potential impacts. The leaked data contains IP addresses, and some organzations' primitive configurations and credentials, including plaintext passwords. Approximately 5,000 organizational domains globally could be affected, some of which include government and high-profile entities. Fortinet claims damage control is manageable if affected organizations follow recommended security best practices. Beaumont highlighted the severity of leaked IPsec VPN tunnel configurations that could allow attackers access to organizational networks. Security experts urge affected entities to conduct comprehensive compromise assessments to check for potential breaches and ensure no backdoors remain.

SentinelOne researchers discovered shared code in HellCat and Morpheus ransomware, indicating links between these operations. The similarity was identified in ransomware payloads uploaded by the same submitter to VirusTotal in late December 2024. Despite their recent emergence, both ransomware types exhibit identical code variations, apart from victim-specific details and contact information. Notable coding characteristics include exemption of certain system directories and file types from encryption and retention of original file extensions upon encryption. The ransomware leverages the Windows Cryptographic API for key generation and employs the BCrypt algorithm for encryption. Both HellCat and Morpheus drop similar ransom notes which seem to be templated from another ransomware group, Underground Team, albeit with unique operational procedures. The decentralization trend in ransomware activities has led to a fragmented yet resilient landscape of threats, culminating in December 2024's record-high incidents.

Credential and user-based attacks are still leading causes of security breaches, affecting 50-80% of enterprises. Traditional security measures focus primarily on risk reduction rather than prevention, dealing with threats post-breach. Modern security solutions now enable complete prevention of identity-based threats, shifting from risk management to actual threat neutralization. Identity-based threats like phishing and stolen credentials are predominant in enterprises, making up significant breach costs and continuing to exploit traditional authentication weaknesses. Effective prevention of identity-based attacks requires authentication architectures that employ strong cryptographic controls and continuous trust verification. Beyond Identity provides advanced access management by evaluating real-time device risk and continuous user authentication to enhance security. Continuous risk-based access control and integration with existing security tools enable responsive and adaptive access policies. Adoption of phishing-resistant authentication technologies represents a significant step forward in preventing identity-based breaches at an organizational level.

SonicWall has issued a critical alert for a security vulnerability in its SMA 1000 series, identified as CVE-2025-23006. This flaw, with a severity rating of 9.8/10 on the CVSS scale, could allow unauthenticated remote attackers to execute arbitrary OS commands. The vulnerability specifically affects the Appliance Management Console (AMC) and Central Management Console (CMC) within the SMA 1000 appliances. SonicWall has addressed the issue in version 12.4.3-02854 (platform-hotfix) and urged customers to promptly apply this patch. There have been reports of possible active exploitation of this vulnerability in the wild. The vulnerability does not impact SonicWall's Firewall and SMA 100 series products. Microsoft Threat Intelligence Center (MSTIC) was credited with discovering and reporting the vulnerability. SonicWall recommends restricting access to the AMC and CMC to trusted sources to minimize potential impacts.