Daily Brief

A security flaw was disclosed in the Commvault Command Center, identified by CVE-2025-34028, with a high severity CVSS score of 9.0. The vulnerability allows remote attackers to execute arbitrary code on affected installations without requiring authentication. This flaw specifically impacts versions 11.38.0 through 11.38.19 of Commvault's 11.38 Innovation Release. The vulnerability is triggered by an SSRF issue in the "deployWebpackage.do" endpoint, marking a critical risk of unauthorized remote actions. Malicious actors could escalate the SSRF issue, enabling code execution through a ZIP archive that includes a malicious .JSP file. The vulnerability has been patched in subsequent versions released after the discovery. Detection tools have been developed to help organizations identify if their installations are vulnerable. The discovery underscores the increasing security challenges faced by backup and replication software, emphasizing the need for timely updates and patches.

The percentage of data breaches involving third-party vendors doubled from 15% to 30% last year according to Verizon's Data Breach Investigations Report. Cybercriminals are targeting weaker links in supply chains like software companies, accountants, and law firms to access larger, more secure networks. The extended median time of 94 days to address leaks of sensitive information, such as API keys found in public repositories, significantly increases vulnerability. High-profile breaches, including those affecting major organizations like Santander and Ticketmaster, were exacerbated by credential reuse and the absence of mandatory multi-factor authentication. Verizon highlights that 80 percent of Snowflake-affected accounts had previously exposed credentials, pointing to prevalent security lapses in credential management across the industry. The report stresses the importance of organizations ensuring cybersecurity measures are prioritized during the procurement process and continuous vendor management. Effective collaboration and transparency in information sharing among organizations can enhance structured frameworks for better threat modeling and decision-making to safeguard data.

Russian soldiers targeted by malicious version of the Alpine Quest Android app designed to exfiltrate sensitive data and geolocate users. Spyware, identified as Android.Spy.1292.origin, was embedded in an older version of the Alpine Quest app and distributed via a fake Telegram channel. The malware connects to a command-and-control server, can download further malicious modules, and accesses documents shared through messaging apps like Telegram and WhatsApp. Attribution of the spyware suggests possible involvement of Ukrainian state-backed actors, although this remains unconfirmed. In a separate incident, Kaspersky discovered a sophisticated backdoor in fake software update packages mimicking ViPNet updates, used by Russian governmental and financial sectors. Russian entities are also engaging in cyber espionage, using phishing campaigns to hijack Microsoft 365 accounts of Ukrainian officials and allies. The ongoing digital warfare includes various cyberattacks and espionage efforts reflecting the complex cyber landscape amidst the Ukraine conflict.

WhatsApp has introduced Advanced Chat Privacy, a feature designed to enhance user privacy by preventing content sharing outside the platform including chat and media exports. This new security setting blocks auto-download of media and the use of messages for artificial intelligence (AI) purposes, though users can still manually screenshot or download content. The feature is particularly recommended for sensitive conversations in group settings where not all members may be familiar to each other. The update is available for all users on the latest version of the WhatsApp application. Concurrently, Meta, WhatsApp's parent company, was fined €200 million by the European Commission for violation of the Digital Markets Act, specifically related to forcing users into a "pay or consent" model for personalized ads. The fine covers the period from the enactment of the DMA in March 2024 to November 2024, with potential for additional penalties if the newly revised ad model also fails compliance checks. In response to the fine, Meta criticized the European Commission for discriminating against American firms, claiming it suppresses personalized advertising which could harm European businesses and economies.

In 2024, ransomware and digital extortion scammers cost U.S. businesses and individuals a record $16.6 billion, marking the highest financial losses tracked by the FBI's Internet Crime Complaint Center (IC3) in its 25-year history. The FBI reported an increase in ransomware complaints by 9%, despite significant federal efforts to combat these cyber threats, including the disruption of major ransomware operations like LockBit. Extortion was the second most reported cybercrime, with the FBI receiving 86,415 complaints, whereas ransomware specific complaints totaled 3,156. The report highlights America's critical infrastructure sectors as being particularly vulnerable, with these sectors reporting nearly 4,900 cybersecurity threats, with ransomware topping the list at 1,403 complaints. Most active ransomware groups included Akira, LockBit, RansomHub, Fog, and PLAY, with LockBit noted as the most persistent ransomware-as-a-service group for the year. New and emerging ransomware variants continued to surface, with the IC3 recording 67 new types in 2024, indicating the dynamic nature of the threat landscape. Despite the rise in complaints and ongoing threats, the financial impact from ransomware decreased to $12.5 million in reported losses, down significantly from $59.6 billion in the previous year.

Blue Shield of California shared sensitive health information of up to 4.7 million patients with Google's advertising services without their consent. Data shared may have included names, medical claim dates, insurance details, and other personal identifiers, potentially used by Google for targeted advertising. The information was passed to Google through a configuration error linking Google Analytics with Google Ads. This incident potentially violates HIPAA rules, raising serious privacy and ethical concerns about the handling and protection of patient information. Upon discovery, Blue Shield severed the data-sharing link between Google Analytics and Google Ads and initiated a review to ensure compliance. Blue Shield notified affected individuals and claimed that Google had not misused the information nor shared it further. The incident underscores broader issues regarding the use of tracking technologies by healthcare organizations and their partners.

The official NPM package for the Ripple ledger, used for cryptocurrency transactions and development, has been compromised with malware aiming to steal private keys. Security researchers from Aikido identified the attack on five specific versions of the xrpl package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Users are advised to assume these versions are compromised. The malware's primary function within these versions is to access and steal users' cryptocurrency wallet private keys, which could result in unauthorized access to funds. Despite the discovery, the exact nature of the critical vulnerability, labeled CVE-2025-32965 with a score of 9.3, remains unclear beyond its association with the supply chain attack. Security advice includes rotating private keys and transferring funds to secure wallets to avoid potential financial losses from compromised accounts. The newly added malicious versions of xrpl were found signaling to a suspicious domain, implying a sophisticated method of concealment and execution by the attackers. This incident exemplifies the growing trend of targeting NPM for supply chain attacks, leveraging its open-source nature and popularity among developers. Organizations and developers are urged to enhance security protocols and continuously monitor supply chain activities to guard against similar sophisticated threats.

Security researchers have uncovered a new Android malware embedded within fake versions of the Alpine Quest mapping app. The compromised versions, which mirror the Alpine Quest Pro app, are distributed via Telegram channels and Russian mobile app repositories. Attackers use the promise of a free, premium app to lure Russian military personnel, exploiting the app's popularity in military and outdoor activities. The malicious software aims to steal documents and communication data from infected devices, potentially exposing sensitive military operational details. The malware functions by masquerading as a legitimate application, increasing the likelihood of download and use by unsuspecting users. The trojanized app was discovered by the Russian antivirus firm Doctor Web, who named the threat 'Android.Spy. 1292.origin' without attributing it to any specific origin. This event highlights a shift where Russian soldiers, traditionally seen as perpetrators of similar tactics, are now also victims in cyber-espionage campaigns.

The RSA Conference 2025 is anticipated to focus heavily on agentic AI, a type of task-oriented AI that acts semi-independently on top of large language models. Security professionals expect these AI agents to perform roles ranging from malware analysis to monitoring security operations centers (SOCs) and handling alerts autonomously. While promising to enhance efficiencies in sectors like security and payment processing, there are significant concerns around the use of agentic AI including potential misuse and the risk of data poisoning. Keynote speeches and vendor displays at the event will showcase the applications of agentic AI, demonstrating both real-world applications and conceptual potentials. Skeptics voice concerns about over-relying on agentic AI without thorough oversight, afraid that errors could lead to serious issues such as unintentional data leaks or denial of service. Security leaders urge caution, advocating for rigorous validation of AI actions to avoid operational disruptions and unintended consequences in sensitive environments like manufacturing. The article suggests that while agentic AI presents innovative possibilities, it equally necessitates careful scrutiny and regulation to mitigate privacy, security, and operational risks. The hype around agentic AI at RSAC is noted, with the implication that it may overshadow necessary discussions on the implications and safety of deploying these technologies in live environments.

WhatsApp has launched a new feature called Advanced Chat Privacy to enhance the security of private and group chats. The feature prevents the export of chat histories and limits the automatic downloading and external use of media. Users can activate this setting by accessing the chat options, ensuring higher confidentiality within the app. While the feature adds a layer of security, sensitive information can still be captured manually, e.g., through taking pictures of the screen. This development is part of ongoing efforts to bolster privacy on WhatsApp, following the introduction of end-to-end encryption and encrypted chat backups. Additional enhancements to Advanced Chat Privacy are being developed to increase its effectiveness further. These measures align with WhatsApp's broader strategy to secure user communications and ensure privacy in digital interactions among its two billion global users.

DPRK-nexus hackers have stolen $137M from TRON users through phishing, highlighting ongoing financial motivations driven by international sanctions. Mandiant's M-Trends 2025 report identifies multiple North Korean clusters (UNC1069, UNC4899, UNC5342, UNC4736, UNC3782) targeting the cryptocurrency and Web3 sectors. These groups employ advanced tools compatible across Windows, Linux, and macOS to facilitate access to crypto wallets and blockchain entities. Apart from direct thefts, North Korea deploys IT workers internationally using fake identities and deepfake technology to infiltrate companies and secure jobs, aiding Pyongyang's financial and strategic aims. In 2023, the UNC3782 group executed a massive phishing attack against TRON users; plans in 2024 targeted Solana users with pages designed to drain cryptocurrency. The IT workers, linked to North Korea's nuclear program, contribute their earnings back to North Korea, maintaining access to victim networks and furthering extortion schemes. Techniques include leveraging deepfakes for interviews, allowing multiple applications for the same job position under different synthetic identities, increasing undetectability and operational security. At least 12 false personas were used by DPRK operatives for job applications in the U.S and Europe, some successfully gaining employment and continuing malicious activities within targeted organizations.

Blue Shield of California experienced a data breach, impacting 4.7 million members. The breach exposed protected health information to Google’s analytics and advertisement platforms due to a misconfiguration in Google Analytics. Sensitive data was potentially used by Google for targeted advertising campaigns. The exposure occurred over nearly three years, from April 2021 to January 2024. Key personal data such as Social Security numbers and financial information were not compromised. Members are advised to monitor their accounts closely for any signs of unauthorized activity. Blue Shield has not committed to offering identity theft protection services following the incident. This breach follows another significant data incident involving Blue Shield and ransomware actors last year.

The FBI recorded a record $16.6 billion stolen by cybercriminals in 2024, a 33% increase from the previous year. The Internet Crime Complaint Center (IC3) dealt with 859,532 complaints, where 256,256 involved actual financial losses. Older Americans, particularly those aged over 60, were disproportionately affected, accounting for nearly $4.8 billion of the reported losses. Ransomware remains the most significant threat to critical infrastructure, with a 9% increase in complaints over the previous year. Over the last five years, IC3 has seen more than 4.2 million complaints, amounting to $50.5 billion in losses. The report emphasizes that actual losses are likely higher as many incidents go unreported or undetected. The FBI warns about scammers impersonating IC3 employees to defraud victims further by offering fake recovery services.

ASUS has released security updates for a critical vulnerability, CVE-2024-54085, in server management software. The flaw, found in American Megatrends International's MegaRAC BMC software, affects multiple server vendors including ASUS and HPE. CVE-2024-54085 allows remote attackers to control servers, deploy malware, and cause physical hardware damage. Attackers can exploit the vulnerability through remote management interfaces, potentially leading to motherboard bricking and permanent server damage. American Megatrends had previously provided patches, and ASUS has now implemented these for four affected motherboard models. ASUS urges immediate firmware updates to prevent the exploitation of this severe security flaw, providing instructions for the update process on their website. The necessity for rapid action is underscored by the vulnerability’s remote exploitability and potential to cause irreversible damage to server hardware.

Phishing attacks in 2025 are increasingly sophisticated, evading traditional detection by using MFA-bypassing phishing kits, and launching attacks that appear novel each time. Current phishing detection relies heavily on blocklists incorporating domains, URLs, and IPs identified post-attack, which fails to prevent initial phishing attempts. Attackers exploit disposable domains and dynamically change attack vectors, making traditional indicator-based detection methods ineffective. Phishing often involves email, but attackers are using multi-channel approaches to avoid detection, complicating the identification of malicious pages. New evasion techniques include CAPTCHAs and complex JavaScript, stymieing sandboxes and static analysis tools in identifying malicious content. Phishing's inherent post-attack detection nature delays effective responses, often allowing attackers to harvest credentials before being identified. A browser-based detection solution, where phishing detection occurs in real-time as the user interacts with the page, is proposed as the future to effectively combat phishing attacks. Push Security advocates real-time, browser-based phishing detection, claiming significant advantages in visibility and response over traditional methods.