Daily Brief

North Korea-associated hacking group, Slow Pisces, targets cryptocurrency developers via LinkedIn with malware-laced coding challenges. The attackers pose as employers, sending phishing links disguised as coding assignments, primarily to individuals in the blockchain and crypto sectors. The campaign utilizes RN Loader and RN Stealer malware to steal sensitive data from infected macOS systems, including iCloud Keychain and SSH keys. Palo Alto Networks’ Unit 42 identified the tactic where malware downloads are contingent on specific conditions like IP address and system details. The infection strategy involves multi-stage payloads that avoid detection and are only executed under certain conditions to ensure stealth and target precision. Attackers use advanced methods like YAML deserialization instead of more detectable malicious functions to execute the code. Slow Pisces distinguishes itself by meticulously managing payload delivery to avoid broad detections and maintain operational security. The same group has been linked by security researchers to additional campaigns using similar job opportunity-themed approaches for distributing malware.

The European Commission is now issuing burner phones and laptops to its staff traveling to the U.S., aligning these measures with those previously reserved for trips to countries like China and Russia due to fears of espionage. This change in policy reveals a significant shift in the EU's perception of the U.S., now treating it similarly to other countries where aggressive surveillance is expected. Recent actions by the U.S., including threats to invade Greenland and imposition of tariffs, alongside controversial support for public figures, have severely chilled transatlantic relations. Multiple European countries have updated travel advisories for the U.S., urging strict compliance with entry requirements and cautioning against possible entry denials, especially for travelers expressing political opinions. The EU’s updated travel recommendations reflect broader global concerns over cybersecurity threats and aim to safeguard the commission's internal communications and data. Experts and officials acknowledge that while spying among allies is common, the necessity of using burner devices highlights escalating mistrust and precautionary measures in international relations. The EU's use of burner devices is also seen as a pragmatic acceptance of the global spying capabilities of the U.S., regardless of the administration in power.

A critical remote code execution vulnerability in Gladinet's CentreStack and Triofox solutions has impacted seven organizations. The flaw, tracked as CVE-2025-30406 with a severity of 9.0, involved a hardcoded cryptographic key exposing servers to remote attacks. Although fixed in CentreStack version 16.4.10315.56368, the vulnerability was active as a zero-day in March 2025 before being addressed. The vulnerability in Triofox persists up to version 16.4.10317.56372, affecting all previous versions due to similar insecure configurations. Attackers exploited the vulnerability to download a malicious DLL via encoded PowerShell, mimicking tactics used in other recent breaches. The attacks facilitated unauthorized lateral movements and installation of remote access tools like MeshCentral and MeshAgent on affected networks. Huntress's telemetry indicated the CentreStack software was installed on approximately 120 endpoints across multiple partners. Immediate updates to the latest software versions are urged for users of the affected Gladinet products to prevent further exploits.

Meta has resumed training its AI models using public data from adult users across its platforms in the European Union after receiving regulatory approval. This decision comes nearly a year after Meta paused its data collection due to concerns from Irish regulators about data protection. The training data will include users' posts, comments, and interactions with Meta AI, but will exclude private messages and data from users under 18. European users will be notified about the data usage and will have the option to opt-out through a provided link. The initiative follows the approval from the European Data Protection Board (EDPB), confirming that it adheres to the EU's stringent data protection laws. Other tech giants such as Google and OpenAI have implemented similar practices, using European user data to train their AI models. The news about Meta's plans emerged alongside Apple's report on privacy-preserving techniques used in its AI features, highlighting a growing industry focus on balancing AI development with user privacy.

Hertz Corporation experienced a significant data breach impacting its Hertz, Thrifty, and Dollar brands, centered around zero-day vulnerabilities in Cleo's platform. The breach involved multiple types of sensitive customer data, including names, contact details, birth dates, credit cards, driver's licenses, and social security numbers. Personal information associated with workers' compensation and vehicle accident claims may have also been exposed. The Clop ransomware gang exploited zero-day vulnerabilities between October and December 2024, impacting multiple companies using Cleo managed file transfer services. The breach affected approximately 3,409 individuals in Maine, with further notifications sent in California and Vermont. Hertz is offering two years of free identity monitoring services to affected customers and advising vigilance against possible fraud. Despite the breach and subsequent data exposure on an extortion site, Hertz reports no detected misuse of stolen personal information for fraudulent activities.

Windows recently deployed a security patch that automatically creates an empty folder, typically located at C:\inetpub, as a security measure against a specific elevation of privileges flaw identified as CVE-2025-21204. The folder is designed to be a mitigation tool, preventing malware or unauthorized users from gaining system-level file-management privileges. It is present regardless of whether the Internet Information Services (IIS) is used. Microsoft strongly advises against deleting the folder, emphasizing it as part of enhanced protective measures, which do not necessitate any action from IT administrators or end users. Although primarily associated with IIS for storing web server content, this folder is created with read-only SYSTEM-level permissions specifically to counter undisclosed types of privilege escalation. Even devices not running IIS will see this folder generated post-update, reinforcing its role in broad security strategy. Should this folder be mistakenly removed, users can restore it via Windows Control Panel by temporarily enabling IIS, or manually creating the folder with the requisite security settings. There have been no known instances of CVE-2025-21204 exploitation in the wild or any public sharing of exploit code relating to this vulnerability.

Hertz Corporation reported a significant data breach affecting its Hertz, Thrifty, and Dollar brands due to Cleo zero-day data theft attacks. Unauthorized access occurred in October and December 2024, exploiting zero-day vulnerabilities in Cleo's file transfer platforms. Stolen data may include names, contact details, dates of birth, credit card, license details, and some cases included Social Security or government IDs. Over 3,400 individuals in Maine have been notified, with additional notifications in California and Vermont. Hertz is offering two years of free identity monitoring services and advises vigilance against potential fraud. The Clop ransomware gang, responsible for the breach, previously leaked Hertz's data on their extortion site. Clop has shifted focus since 2020 from ransomware to data theft using zero-day vulnerabilities in secure file transfer platforms. Other companies such as Western Alliance Bank, WK Kellogg Co, and Sam's Club are also investigating potential breaches linked to the same attacks.

The CA/Browser Forum has officially agreed to reduce the maximum duration of new SSL/TLS certificates to 47 days by March 15, 2029. This decision affects the security certificates that establish HTTPS connections, initially valid for up to 398 days. Key stakeholders like Apple have advocated for shorter durations, aiming to limit the misuse of compromised or stolen certificates. Despite potential increases in purchases due to frequent renewals, entities like Let's Encrypt offer free certificates and support automated renewals. The unanimous decision among major tech companies such as Apple, Google, Microsoft, and Mozilla supports the industry-wide push to shorten lifespans. Critics from the sysadmin community predict significant operational challenges, especially for systems without full automation. The move is part of a broader industry trend towards proactive risk management and preparing for future digital security challenges, including those posed by quantum computing developments.

American business services company, Conduent, confirmed client data was stolen during a cyberattack in January 2025. Conduent, serving government and commercial clients in various sectors, disclosed the breach in an SEC FORM-8K filing. The attack resulted in the exfiltration of files containing personal information of numerous individuals linked to client services. Cybersecurity experts were consulted to assess the complexity and extent of the compromised data. There have been no indications that the stolen data has surfaced on the dark web or has been misused publicly. Despite the breach, Conduent noted the incident did not materially affect their operations but led to some expenses in Q1. The company is conducting ongoing analysis to fully determine the impact and is communicating with affected clients to comply with legal obligations. This breach follows a previous incident in 2020 involving the Maze ransomware gang.

Swiss cybersecurity company Prodaft has launched "Sell your Source" to buy accounts from hacker forums for better threat intelligence. The initiative aims to penetrate cybercriminal communities by using aged and verified hacker forum accounts to uncover illegal activities and tactics. Prodaft focuses on forums such as XSS, Exploit.in, and Breachforums, preferring accounts with administrative rights that were created before December 2022. The company ensures thorough vetting of accounts to avoid any that have partaken in cybercrimes or unethical practices and excludes accounts on law enforcement's wanted lists. Transactions, including payment to the sellers, are handled anonymously using cryptocurrencies like Bitcoin and Monero, with the process details offered under confidentiality. Sellers can initiate contact with Prodaft through secure channels like TOX or email, where they can discuss terms and undergo account verification. Prodaft has previously used similar intelligence tactics to infiltrate operations like the FIN7 group, disrupting potential large-scale cyberattacks on organizations.

Representative Eric Swalwell demands briefings on proposed cutbacks to the Cybersecurity and Infrastructure Security Agency (CISA) ahead of staffing decisions. Up to 1,300 CISA employees face potential job losses, nearly 40% of its workforce, as part of federal downsizing efforts. These reductions could impact CISA's ability to fulfill its mission in protecting national cyber infrastructure. Previous administration actions included firing or placing on leave approximately 130 CISA employees and slashing funding for critical cybersecurity programs. Concerns raised about the weakening of public-private collaboration in cybersecurity defenses due to CISA's downsizing. Swalwell, a key figure in the House Homeland Security Subcommittee, criticizes the lack of transparency and rationale behind the significant organizational changes. Calls for urgent explanation of how CISA will manage its critical security role with reduced resources and personnel.

The CA/Browser Forum, consisting of key certificate authorities and browser developers, has decided to reduce the lifespan of SSL/TLS certificates to 47 days by 2029. This decision was supported by major industry players including Apple, Sectigo, Google Chrome, and Mozilla, aiming to enhance security measures. The reduction will be implemented gradually over the next four years, starting from the current 398-day lifespan to 47 days. The initiative is intended to minimize risks associated with outdated certificate data and deprecated cryptographic methods. Frequent renewal and rotation of certificates through automation are encouraged to prevent websites from running on expired certificates. This change is expected to prompt more frequent revalidation of certificate requests, enhancing the agility and security of the digital ecosystem. Organizations are given enough time to adjust and adopt automated certificate renewal systems offered by various cloud and certificate providers. SSL/TLS certificates are pivotal for secure HTTPS communications, ensuring data encryption, website authentication, and integrity of user-server exchanges.

ResolverRAT, a new remote access trojan, is impacting healthcare and pharmaceutical organizations worldwide. The malware is distributed through phishing emails, with messages tailored in multiple languages suggesting legal or copyright violations. The emails trick recipients into downloading a seemingly legitimate executable file that injects ResolverRAT into system memory via reflective DLL loading. ResolverRAT operates by abusing .NET framework features to run stealthily in memory, avoiding traditional security detection methods. The malware uses complex mechanisms to obfuscate its control flow, complicates static analysis, and evades sandbox detection. It maintains persistence by modifying up to 20 different Windows Registry locations and adding itself to key filesystem locations. ResolverRAT features sophisticated communication strategies to prevent detection and ensures data exfiltration by segmenting large files and managing network instability. Global phishing attacks seen in Italian, Czech, Hindi, Turkish, Portuguese, and Indonesian, suggesting a wide and expanding geographic impact.

ResolverRAT, a complex remote access trojan, affects healthcare and pharmaceutical sectors through phishing. Phishing emails employ fear-based lures such as copyright or legal issues, nudging recipients to engage urgently. Locally customized emails in various languages like Hindi, Italian, and Turkish enhance the efficacy of the campaign. The malicious links in emails lead to DLL side-loading, initiating a stealthy, multi-stage malware payload execution. ResolverRAT features advanced evasion techniques including encryption, compression, and memory-only presence. Malware utilizes sophisticated C2 communication, with backup measures and irregular beaconing to evade detection. The ultimate goal of the malware is discreet data exfiltration, dividing large data into smaller unnoticed chunks. Although direct attribution is pending, operational similarities hint at coordination among threat actors or groups.

DaVita, a major kidney dialysis provider, experienced a ransomware attack that encrypted parts of its network and disrupted operations. The ransomware attack occurred on a Saturday, capitalizing on reduced IT staffing, which is a common tactic for cybercriminals. Despite the encryption of certain network elements, DaVita was able to continue providing patient care through the implementation of contingency plans. DaVita has launched an investigation to determine the full impact of the incident, including the potential theft of patient data. The company revealed the breach in an SEC FORM-8K filing but has not yet provided a timeline for the full restoration of impacted systems. No specific ransomware group has claimed responsibility for the attack at this stage. DaVita operates more than 2,600 outpatient treatment centers and employs about 76,000 staff across 12 countries.