Daily Brief

The UK's F-35B stealth fighters are underperforming due to high unavailability rates and a shortage of support personnel. National Audit Office (NAO) report emphasizes the need for the Ministry of Defence (MoD) to improve aircraft efficiency and demonstrate financial accountability. Mission-capable rates for the UK's fleet fall significantly below MoD targets, with availability impacted by global spare part shortages and local personnel deficits. Delays in integrating essential weapons like the Spear 3 and Meteor missiles, blamed on poor supplier performance and inadequate prioritization by the MoD. The expected delivery of key system upgrades, known as Block 4, has been postponed from 2022 to potentially beyond 2033, further delaying operational readiness. The US is perceived as deprioritizing European weaponry compatibility, influencing UK's decision to develop a new fighter, Tempest, with non-US partners. Britain risks falling behind international partners within the F-35 program, as highlighted by slower aircraft procurement compared to nations like Australia and Norway. MoD contends that despite challenges, the F-35 program operates within budget, and two squadrons are expected to be deployment-ready by the year's end.

North Korean hackers released 67 malicious packages into the npm registry, marking an ongoing software supply chain attack linked to the Contagious Interview campaign. These packages have collectively garnered over 17,000 downloads and introduce a new malware loader variant named XORIndex. Earlier, 35 npm packages were discovered deploying different loaders like HexEval, totaling over 8,000 downloads. The hackers have adopted a rapid replacement strategy for detected malicious packages, uploading new or modified versions to evade security measures. Their operation, Contagious Interview, entices developers to download malicious open-source projects under the guise of coding tasks, potentially bypassing formal employment processes. The malware serves dual purposes: extracting sensitive data from web browsers and cryptocurrency wallets, and deploying a Python backdoor called InvisibleFerret. Over time, the potency and stealth of the loaders have evolved, with newer versions showing enhanced capabilities in system reconnaissance and obfuscation. Socket researcher Kirill Boychenko predicts continued diversification and deployment of new malware variants by the attackers, signifying a persistent threat.

Elmo's X (formerly Twitter) account was hacked, posting virulent antisemitic and racist messages. Sesame Workshop confirmed the breach, stating that the account was compromised by an unknown hacker who has been posting offensive content. The compromised account included egregious messages that targeted Jewish communities, President Trump, and referenced controversial conspiracy theories. This incident is part of a troubling trend where high-profile accounts on X are hijacked to spread misinformation or hate speech, continuing even after Elon Musk's acquisition of the platform. Past victims of similar attacks include prominent figures and organizations such as Jeff Bezos, Barack Obama, and the US SEC. The resurgence of account compromises and the proliferation of hate speech posts are significant concerns for the platform's management and user security protocols.

The UK's National Cyber Security Centre (NCSC) launched the Vulnerability Research Initiative (VRI) to collaborate with external cybersecurity experts. The initiative aims to enhance the discovery and sharing of critical insights into cybersecurity vulnerabilities in technology. NCSC already performs internal vulnerability research but seeks to expand capabilities via external partnerships. The VRI will focus on identifying software and hardware vulnerabilities, assessing proposed mitigations, and disclosing them through established procedures. Participants will provide NCSC with details on the methodologies and tools used during their research to help establish a framework for best practices. NCSC plans to involve experts specializing in emerging fields, including AI-driven vulnerability discovery, to sharpen future defenses. Interested cybersecurity professionals are invited to contact NCSC via a designated email to express their interest and area of expertise. The initiative reflects NCSC’s ongoing commitment to protect UK’s infrastructure and citizens from cybersecurity threats.

Nvidia A6000 GPUs are vulnerable to a new Rowhammer attack variant called GPUHammer, which targets GDDR6 DRAM memory. University of Toronto researchers disclosed the threat in January, with their findings to be officially presented at USENIX Security 2025. This attack represents the first successful Rowhammer exploit on Nvidia GPUs, capable of manipulating AI model accuracy by affecting the DNN weights. Despite protection mechanisms like Target Row Refresh, the attack can still reduce the accuracy of machine-learning models by up to 80%. Effective attack mitigation includes enabling Error Correction Codes (ECC), which, while reducing performance by about 10% and memory by 6.25%, helps prevent data corruption. The Rowhammer technique was first identified in 2014 and has been applied to various devices over the years, reflecting its persistent threat to digital security. Organizations utilizing cloud-based AI applications might be particularly vulnerable to GPUHammer, risking significant inaccuracies in AI model predictions.

Interlock ransomware operations are increasingly utilizing a new technique named "FileFix" to deploy a remote access trojan (RAT). The FileFix technique, an evolution of ClickFix, involves deceiving users into executing malicious code by manipulating trusted UI elements like File Explorer. This method was adopted after employing the KongTuke web injector to compromise websites and distribute payloads through fake CAPTCHA verifications. Recent attacks prompt users to type a disguised PowerShell command into File Explorer's address bar, initiating the download and execution of the PHP RAT. Post-infection activities include gathering and exfiltrating system information, exploring Active Directory settings, and executing commands through a control server. Changes in the malware's delivery mechanism signify a shift toward more surreptitious and effective attack methodologies. Interlock ransomware, known since September 2024, targets high-profile victims and continually adapts its infection strategies to enhance success and stealthiness.

Neil Smith discovered a vulnerability in 2012 in train communication protocols that allowed hackers to control train brakes remotely. After years of inaction, the CVE-2025-1727 was issued by CISA, highlighting severe weak authentication vulnerabilities. The compromised system, known as FRED, is outdated and uses easily spoofed checksums which could enable someone to induce train derailments. Despite the vulnerability being known since 2012, adequate security measures or protocol updates have been severely delayed. The American railroad industry, represented by the Association of American Railroads (AAR), is expected to implement a more secure technology only by 2027. AAR and CISA recommend interim measures like network segmentation, but these may not be sufficient against determined attackers using simple equipment. The delay and exposure leave the national railway system open to potentially catastrophic cyber-attacks until a fix is fully implemented.

Exposed Git repositories are prevalent, under-recognized risks in enterprise environments, leaking sensitive data like API keys, tokens, and passwords. The increase in development velocity and the volume of code shipped exacerbates the risk of accidental exposure of credentials in Git repositories. Data from GitHub revealed over 39 million leaked secrets in 2024, marking a 67% increase from the previous year, including critical credentials like cloud credentials and SSH keys. Attack vectors from exposed repositories include accessing developer environments and internal systems, which can lead to significant breaches without alerting standard security protocols. Attackers use public tools and scanners to identify and exploit vulnerabilities within Git repositories, often using exposed secrets to gain broader access to networks and systems. Effective mitigation strategies include implementing strong secrets management, maintaining stringent code hygiene, and applying robust access controls. Compliance with frameworks like NIS2, SOC2, and ISO 27001 is becoming more stringent, necessitating hardened software delivery pipelines and controlled third-party risk. A combination of proactive security practices, continuous validation, and viewing repository security as a core component of IT strategy is recommended to manage and mitigate these risks.

Threat actors from the Interlock ransomware group launched a PHP-based variant of their Interlock RAT, leveraging a delivery mechanism named FileFix. The attack employs compromised websites that host a script for traffic redirection, guiding users to a fake CAPTCHA that ultimately deploys the RAT. The FileFix system is an evolution of ClickFix, utilizing Windows File Explorer for executing malicious scripts. This variant allows for persistent system access, data exfiltration, and the capacity for remote command execution. Security reports note the RAT has been used against various sectors, underlining its opportunistic deployment across industry landscapes. Notably, the malware uses Cloudflare Tunnel subdomains to mask command-and-control server locations, with hardcoded IP fallbacks to maintain control channel integrity. The Interlock group's operational sophistication continues to evolve, with the latest campaigns distributing both Node.js and PHP variants of their RAT.

Gigabyte motherboards are vulnerable to UEFI firmware attacks, allowing malware to bypass Secure Boot and persist through system reinstalls. Attackers can exploit four high-severity vulnerabilities to execute malicious code in the System Management Mode (SMM), which operates separately from the OS with elevated privileges. The vulnerabilities, with a severity score of 8.2, impact over 240 motherboard models, affecting various revisions and regional editions. These security flaws originated from American Megatrends Inc. (AMI) reference code, which disclosed the issues to select customers under NDA, leaving many downstream vendors like Gigabyte with unpatched systems. Binarly, a firmware security company, discovered the vulnerabilities and reported them to CERT/CC; Gigabyte confirmed the issues later but has yet to release any patches. With many affected products already at end-of-life, updates may not be forthcoming, exposing users, especially in critical environments, to persisting risks. Binarly provides a detection tool called Risk Hunt scanner to help users identify if their systems are at risk from these vulnerabilities.

The UK National Crime Agency (NCA) arrested four individuals connected to cyber attacks on major retailers including Marks & Spencer, Co-op, and Harrods. Those apprehended include two 19-year-old males, a 17-year-old male, and a 20-year-old female, located in the West Midlands and London. The suspects face charges under the Computer Misuse Act, along with accusations of blackmail, money laundering, and involvement in organized crime. They are linked to the cybercrime group Scattered Spider, an offshoot of the The Com collective, known for a range of criminal activities from phishing to murder. The arrests spotlight the continuing challenge of tackling organized cybercrime and the importance of prompt and coordinated law enforcement response. Key vulnerabilities and CVEs highlighted this week underscore the urgent need for businesses to patch software flaws swiftly to prevent exploitation. Recommended practices include using automated tools for mapping known vulnerabilities and focusing on high-risk CVEs to enhance cybersecurity defenses.

A malicious VSCode extension named "Solidity Language" from the Open VSX registry led to the theft of $500,000 in cryptocurrency. The fake extension was designed to impersonate a legitimate plugin for Ethereum smart contracts, but instead executed a remote PowerShell script. The attackers used the script to install ScreenConnect, gaining full remote access to the victim's computer. Additional malicious payloads were subsequently downloaded, including a known malware loader. The victim, a Russian crypto developer, did not have antivirus software installed, complicating the detection of the intruding software. Kaspersky's investigation revealed that the extension had been downloaded 54,000 times, though this figure was likely inflated to boost its apparent legitimacy. Similar deceptive extensions were found in Microsoft's Visual Studio Code marketplace, suggesting a broader attack strategy. Kaspersky advises developers to exercise extreme caution when downloading tools and packages from open repositories, as these platforms are increasingly targeted by cybercriminals.

Britain and France are collaborating to enhance GPS resilience amid increasing signal jamming globally. This initiative was disclosed during French President Macron's state visit, aligning with other UK-France science and technology partnerships. The focus is on developing positioning, navigation, and timing (PNT) technologies as alternatives to GPS, which are more resistant to interference. Technologies like eLoran are being considered; a terrestrial system that utilizes low-frequency ground-based radio towers, difficult to jam. These efforts aim to protect critical civilian infrastructures, particularly applications like business transaction time-stamping that rely on precise timing. The UK's Ministry of Defence has explored deploying portable eLoran networks and has called for tenders to build a national eLoran system. Recent international incidents, including GPS disruptions in the Baltic Sea, have underscored the urgency of these protective measures against GPS signal manipulation. GPS interference and spoofing are identified as significant flight safety concerns by the European Union Aviation Safety Agency (EASA), affecting regions across Eastern Europe and the Middle East.

The UK's National Crime Agency (NCA) contests the findings of a think tank report that claims the FBI is nearly three times more efficient. The Social Market Foundation based its report on a "crude" comparison of arrest figures and officer counts without considering different mandates of the NCA and FBI. The report criticizes the UK government and NCA's approach towards combating serious organized crime, highlighting issues such as underinvestment and recruitment challenges. The NCA highlights its strategic impacts on organized crime, disputing the think tank's methodology and defending its results and operational effectiveness. Despite criticisms, the NCA achieved significant successes, including recent arrests related to ransomware attacks on major British retailers. The NCA insists it remains a world-leading agency in combating serious and organized crime, aiming to further enhance its operational capabilities. Social Market Foundation urges the UK to redefine its national strategy against organized crime and increase funding for the NCA.

India's Central Bureau of Investigation (CBI) successfully shut down a transnational tech support scam operated from Noida, targeting citizens in the UK and Australia. The fraudulent scheme by FirstIdea call center caused losses exceeding £390,000 in the UK alone. CBI's Operation Chakra V involved raids on three locations, including a live fraudulent call center, resulting in two arrests. Scammers pretended to be tech support from major corporations, deceiving victims into paying for unnecessary technical support services. Collaborative efforts between CBI, UK's National Crime Agency, the FBI, and Microsoft were crucial in identifying and dismantling the scam's infrastructure. Over 100 individuals in the UK were deceived by the scammers using spoofed phone numbers and VoIP to appear as legitimate tech support. The raids were timed to match the active scam calls based on victim time zones, enhancing the operation’s effectiveness.