Daily Brief

41% of cyberattacks successfully bypass existing security controls in most organizations, as per findings from Picus Security. Traditional security assessments like annual penetration tests and periodic vulnerability scans are insufficient in today's rapidly changing threat landscape. Breach and Attack Simulation (BAS) and Automated Penetration Testing (APT) offer continuous, real-time testing and validation of security measures. These methods allow organizations to simulate real-world attacks, revealing vulnerabilities and ineffective security controls without risking system downtime. Adversarial Exposure Validation combines BAS and APT to provide a comprehensive view of both the effectiveness of security controls and potential attack paths. This approach helps organizations enhance their security by identifying and closing gaps, thus improving their defense against actual cyberattacks. Continuous testing enables proactive risk management, better preparation for potential breaches, and measurable improvements in security protocols.

CISA has extended funding to prevent disruptions in the Common Vulnerabilities and Exposures (CVE) program. The funding extension was crucial as MITRE had warned that existing government funding would expire, potentially causing industry-wide effects. Potential disruptions without the extension included compromised national databases, incident responses, and tool vendor operations. The CVE program, maintained by MITRE and funded by the U.S. DHS, aids clarity and standardization in discussing security vulnerabilities. The newly established CVE Foundation aims to secure program independence and remove reliance on a single government sponsor, ensuring its global neutrality and sustainability. The establishment of the CVE Foundation introduces a non-profit model to manage the CVE program going forward. ENISA has launched the European vulnerability database (EUVD), featuring a multi-stakeholder model, adding to the global cybersecurity infrastructure.

Google suspended over 39.2 million advertiser accounts in 2024 to prevent the dissemination of harmful ads. The company blocked a total of 5.1 billion bad ads and restricted another 9.1 billion, while also blocking or restricting ads on 1.3 billion pages. Top policy violations triggering these actions included ad network abuse, trademark misuse, and misrepresentation among others. Significant content categories flagged for ad restrictions included sexual content, hate speech, malware, and weapons promotion. Google employed AI tools to identify and act against emerging threats like AI-generated deepfakes and scam-related ad violations. More than 5 million accounts were specifically suspended for scam-related violations, some using AI-generated public figure impersonation. The tech giant has expanded its Advertiser identity verification to over 200 countries to enhance ad transparency, especially in election-related advertising. Google’s security measures reflect the continuously evolving challenges in ad safety, necessitating agile responses driven by technological innovations.

Russian cyber group Cozy Bear, also known as APT 29, targeted European diplomats with malware-infected invitations to a fake wine-tasting event. The phishing emails appeared to be from a legitimate European Ministry of Foreign Affairs, enticing diplomats with the exclusive event to ensure high engagement. Unresponsive targets received follow-up emails to increase the chance of malware deployment through repeated engagement. The emails contained a malicious link that, when clicked under specific conditions, initiated the download of a malware-infected file named wine.zip. The malware, named Grapeloader, infiltrates the system, altering the Windows Registry for persistence, scanning for sensitive information, and establishing regular communication with a command-and-control server. The cyber espionage efforts are presumably directed by the Russian government, leveraging Cozy Bear’s capacities to gather intelligence from Western political entities. Historical context indicates that Cozy Bear has been involved in significant cyber espionage activities against the US and its allies, including incidents like the SolarWinds hack and operations against the 2016 US national election.

Threat actors are utilizing the Gamma AI platform to carry out sophisticated phishing attacks, mimicking Microsoft SharePoint logins. The attack begins with a phishing email containing a PDF hyperlink, often sent from compromised legitimate accounts. Clicking the link redirects users to a Gamma-hosted presentation that prompts them to access "Secure Documents," leading them through several deceptive pages. An intermediate impersonation page uses Cloudflare Turnstile verification to boost perceived legitimacy and hinder automated security analysis. Users are eventually directed to a fake Microsoft SharePoint login page designed to harvest their credentials, employing real-time credential validation to enhance the illusion. This method, known as living-off-trusted-sites (LOTS), leverages trusted services to bypass traditional email security checks and obscure the phishing pages' true nature. Microsoft has flagged an increase in AI-driven fraud and falsified content, underlining the need for heightened vigilance against such threats. The findings imply a trend where attackers constantly evolve, using new tools and strategies to effectively target and exploit users.

Cyber threats targeting supply chains have escalated as companies increasingly rely on third-party vendors and global logistics. Exploiting vulnerabilities in interconnected systems, attackers infiltrate via third-party vendors, gaining access to sensitive data and operational controls. Recent incidents, like the 2024 ransomware attack on Change Healthcare, highlighted significant disruptions and data theft affecting millions. Industries at substantial risk include manufacturing, healthcare, retail, energy, and banking due to their extensive dependency on complex supply networks. Proactive security measures, including Continuous Threat Exposure Management (CTEM) and Automated Penetration Testing, are vital in preventing attacks. Compliance with regulatory standards such as NIST and ISO 27001 is crucial for maintaining baseline security practices and protecting supply chains. U.S. tariffs on foreign goods could introduce new cybersecurity challenges by forcing companies to redirect sourcing and use less secure suppliers. A shift from reactionary measures to proactive strategies including AI-driven threat detection is essential for enhancing resilience and continuity in supply chains.

Cybersecurity experts have identified a new controller for BPFDoor, a Linux-targeting backdoor used in recent cyber attacks across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. This malware enables stealthy lateral movements and long-term espionage within compromised networks, particularly affecting the telecom, finance, and retail sectors. BPFDoor utilizes the Berkeley Packet Filter technology to maintain persistent and covert access in compromised systems, evading detection even by firewall protections. The newly discovered controller component allows attackers deeper network infiltration, providing them tools to control numerous systems and access sensitive data remotely. Earth Bluecrow, a known threat group recognized under multiple aliases including DecisiveArchitect and Red Menshen, has been linked to the deployment of this sophisticated malware. The controller's functionalities include supporting multiple protocols and an encrypted mode for secure, unauthorized commands on the infected hosts. Trend Micro stresses the importance of understanding and analyzing BPF code to enhance defense mechanisms against such BPF-powered threats.

Wing Security's platform addresses increasing breaches in SaaS applications by managing identities and detecting threats. The majority of security breaches are linked to identity and credential misconfigurations, highlighting the need for improved SaaS security solutions. Wing’s non-intrusive discovery method uses APIs to connect with major Identity Providers and SaaS applications, ensuring comprehensive visibility. The platform offers a unique identity-centric threat detection that correlates identity events with MITRE ATT&CK techniques for clear, actionable insights. Real-time threat detection enabled by the platform reduces the median time to resolution and aids security teams in prioritizing threats based on their breach confidence score. Customized mitigation playbooks provided by Wing guide SecOps teams through specific steps to resolve threats and prevent recurrent attacks. Continuous monitoring for misconfigurations and risky settings is facilitated by Wing Security, aiming at an underlying prevention approach rather than a symptomatic treatment. Wing Security’s integrated approach combines SaaS Security Posture Management (SSPM) and Identity Threat Detection and Response (ITDR) to enhance organizational security posture against identity-based attacks.

Chinese manufacturers have shipped Android smartphones with pre-installed trojanized apps disguising as WhatsApp and Telegram, aimed at cryptocurrency users. The malware, identified by Russian antivirus firm Doctor Web, specifically targets low-end phones mimicking premium models from brands like Samsung and Huawei. The trojanized applications can alter cryptocurrency wallet addresses in chat messages to redirect funds to the attackers, and also harvest device data and personal media files. These apps use an open-source project, LSPatch, to inject the Shibai trojan into legitimate applications, affecting around 40 different app types including messengers and QR code scanners. The malware operation is complex, utilizing about 30 domains and over 60 command-and-control servers for management and distribution. Analysis shows nearly two dozen cryptocurrency wallets linked to the attackers received over $1.6 million in the last two years, highlighting the financial impact of the scheme. Additional reporting revealed a new Android malware, Gorilla, focusing on sensitive data collection and persistent access, indicating broader threats to Android security are evolving.

Researchers found that ransomware attackers increase demands by 2.8 times on average if they discover the victim has cyber-insurance. Dutch researcher Tom Meurs analyzed 453 ransomware incidents from 2019 to 2021, noting a significant jump to 5.5 times the ransom amount in double-extortion cases with insured victims. Insured companies paid ransoms 44% of the time, nearly double the rate of uninsured companies, with significantly higher payouts. The most common initial attack vectors were phishing emails, malicious mobile apps, and vulnerabilities in outdated software. The IT sector, heavily targeted due to its high payout potential and extensive digital footprint, often led to multiple companies being victimized from a single attack. Only about 40% of ransomware attacks are reported to the police, with much lower reporting rates for other types of online fraud. Effective backup systems significantly reduce the likelihood of paying a ransom by 27 times, highlighting the importance of robust data management practices. Despite having backups, some companies choose to pay ransoms to expedite recovery or mitigate reputational damage, although 85% of backups reportedly fail during attacks.

MITRE's funding for the crucial CVE and CWE programs, sponsored by the U.S. DHS, expires today, raising major concerns within the global cybersecurity community. CVE system, a cornerstone in cybersecurity, ensures a standardized approach to identifying and discussing security vulnerabilities worldwide. The potential discontinuation of the CVE program could lead to the degradation of national vulnerability databases, advisories, and critical security tools. Several cybersecurity leaders, including the former head of CISA, Jean Easterly, have expressed concerns that losing CVE would result in a lack of coordination and a breakdown of trusted processes across the globe. A break in service could directly impact incident response operations and critical infrastructure protection, escalating to national security threats. DHS is actively working to mitigate the impact of the funding lapse and sustain CVE services, which is integral to the security operations of global stakeholders. The issue also aligns with NIST's current struggle in managing a significant backlog of CVEs needing attention for their National Vulnerability Database (NVD).

The U.S. government will cease funding MITRE's operation of the CVE program on April 17, impacting global cybersecurity infrastructure. The CVE system is critical for cataloging and managing publicly disclosed security vulnerabilities. MITRE warns of potential degradation across national vulnerability databases, advisories, and critical infrastructure without continued support. Despite the looming deadline, the government is still making efforts to support MITRE's role in maintaining the CVE program. Cybersecurity firm VulnCheck has proactively reserved 1,000 CVEs for 2025 in anticipation of disruptions. Experts predict that a lapse in the CVE program could delay vulnerability disclosures, impacting software security and risk assessments. The sustainability of the Common Weakness Enumeration (CWE) project is also at risk, potentially affecting secure coding and prioritization practices.

U.S. government funding for the CVE program, crucial for tracking security flaws globally, will cease this Wednesday. The CVE program, managed by MITRE under the Department of Homeland Security, is at risk due to non-renewal of contract and federal budget cuts. Without alternative funding, the program's ability to publish new CVEs and operate its website could end shortly. CVE IDs standardize vulnerability management and are used worldwide by companies and organizations to ensure clear communication and proper addressing of security threats. More than 40,000 CVEs were issued last year, highlighting the program's significant role in cybersecurity. Industry experts like Katie Moussouris and Dustin Childs express concerns about the severe impacts on vulnerability management and potential national security risks. Discussions revolve around the need for the security industry to fill the funding void and continue the program’s operations. Historical CVE records will remain accessible via GitHub, which provides some continuity.

An IT firm in Texas, Landmark Admin, has reported that 1.6 million individuals had their data stolen—double the number initially disclosed. Data compromised includes SSNs, driver’s license numbers, passport numbers, financial accounts, medical information, and insurance policy details. No credit card information was stolen, but the stolen data is highly sensitive, ideal for identity theft or phishing attacks. The breach occurred in two separate incidents, with the second involving data encryption and theft, suggestive of a ransomware-style attack. Landmark has responded by offering affected customers 12 months of credit monitoring, a $1 million insurance reimbursement policy, and managed ID theft recovery services. Landmark provides essential backend services for several American insurers, highlighting the risk of targeting third-party suppliers in cyberattacks. The incident has prompted a class-action lawsuit and reflects ongoing concerns about the cybersecurity measures of third-party suppliers.

Russian cyberespionage group Midnight Blizzard, also known as APT29 or Cozy Bear, has initiated a spear-phishing campaign against European diplomatic entities. The campaign features the debut of a new malware loader named GrapeLoader, used for deploying a modified version of the WineLoader backdoor. Victims receive phishing emails spoofed from legitimate Ministry of Foreign Affairs addresses, directing them to download a malicious file under the guise of a wine-tasting event invitation. GrapeLoader operates by sideloading a DLL to execute itself, enhancing stealth with techniques like delayed shellcode execution and specific memory protections to evade detection by antivirus products. The primary function of the GrapeLoader malware includes stealth reconnaissance and the activation of WineLoader, a modular backdoor that collects extensive system and user data. WineLoader has been upgraded to use sophisticated obfuscation techniques making its analysis and detection significantly more challenging. Despite extensive analysis, the full capabilities and the specifics of payloads delivered by WineLoader remain unclear due to its memory-resident nature and high target specificity.