Daily Brief

The State Bar of Texas has reported a data breach after the INC ransomware gang claimed responsibility and began releasing stolen data online. The attack occurred between January 28 and February 9, 2025, with the discovery of the breach happening on February 12, 2025. Over 100,000 licensed attorneys are potentially affected as the State Bar of Texas is the second-largest bar association in the U.S. The stolen information includes full names among other data, details of which are redacted in the notifications to Attorney Generals' offices. The INC ransomware gang added the State Bar of Texas to its extortion site on March 9, 2025, and has leaked samples including legal documents. The accuracy of the leaked data, whether it's genuinely from the organization's network or if it includes private information, remains unverified by BleepingComputer. The organization is offering affected members free credit and identity theft monitoring services through Experian until July 31, 2025, along with advice on additional security measures such as a credit freeze.

Oracle has confirmed to specific customers that legacy credentials were stolen following a breach of an old environment last used in 2017. Despite Oracle's claims that the breached data is outdated and non-sensitive, evidence of newer data from 2024 and 2025 being compromised and circulated was noted. The attackers utilized a Java exploit from 2020 to insert malware and exfiltrate data, such as emails, hashed passwords, and usernames from Oracle's Identity Manager database. A threat actor named "rose87168" advertised 6 million Oracle records for sale, providing samples as proof of the legitimacy of the stolen data. Although Oracle initially denied any breach of their current cloud systems, acknowledging only the older Oracle Cloud Classic was affected—reports suggest the stolen credentials were indeed from more recent data. The FBI and CrowdStrike have been enlisted to investigate the incident, highlighting the seriousness of the breach. Separately, Oracle Health reported another breach affecting U.S. healthcare providers with potential patient data theft, with attackers demanding ransom.

Business IT disaster recovery requires continuous updating and regular testing of incident response plans. Utilization of software tools like Netflix's Chaos Monkey and other similar applications helps simulate real-world disruptions for testing purposes. Administrators are advised to automate and update remediation scripts to handle incidents swiftly. Secureworks emphasizes the importance of rigorous training and drills to ensure team readiness for actual disaster scenarios. Network visibility and constant updates of network maps are critical for effective problem detection and response. Employing third-party penetration testing can provide insights into network vulnerabilities, though prioritizing the feedback is crucial. Regular backup verifications are necessary to prevent failures during disasters, with emphasis on securing backups against potential cyber threats. Preparedness can determine the speed and effectiveness of recovery from network incidents, making disaster response drills indispensable.

Palo Alto Networks' Unit 42 linked a recent GitHub supply chain attack to a stolen SpotBugs token, affecting 218 repositories. The initial breach occurred in late November 2024 when a SpotBugs maintainer's Personal Access Token (PAT) was compromised. On December 6, 2024, attackers exploited a vulnerable GitHub workflow to steal this PAT, setting the stage for further exploits. Using the stolen credentials, a malicious commit was pushed in March 2025, impacting certain GitHub Actions workflows and targeting a cryptocurrency exchange, Coinbase. Although the attack focused on Coinbase, it failed to expose critical secrets; the company was alerted and proactive in mitigating the breach. The incident scrutiny revealed systemic issues within GitHub Action ecosystems, such as tag mutability and inadequate audit logging. Advice to affected projects includes rotating all secrets and conducting thorough audits of GitHub Actions logs from the noted period. Recommendations for future preventive measures include pinning dependencies with commit hashes and cautious use of certain GitHub workflows.

A large-scale fraudulent operation called 'Scallywag' capitalized on pirating and URL shortening sites using WordPress plugins to generate 1.4 billion ad requests daily. Scallywag was exposed by bot and fraud detection firm HUMAN, which identified a network of 407 domains involved in the scheme. Initially resulting in significant revenue loss, fraudulent activity declined by 95% following interventions by ad providers and HUMAN's detection efforts. Four primary WordPress plugins facilitated the ad fraud: Soralink, Yu Idea, WPSafeLink, and Droplink, each released between 2016 and 2022. The fraud-as-a-service model allowed multiple independent cybercriminals to adopt these plugins, setting up their own ad fraud networks. Visitors were redirected through multiple ad-heavy intermediary pages that generated fraudulent ad impressions before landing on the desired content. Despite a significant reduction in fraudulent activity, Scallywag actors continue to adapt, shifting strategies to evade detection.

Researchers detected heightened probing of Juniper Networks and Palo Alto Networks devices, indicating potential espionage, botnet building, or zero-day exploit attempts. Specifically, mass scans targeted default accounts in Juniper’s Session Smart Networking products using known default credentials, simplifying unauthorized access. Over 3,000 source IPs, likely part of a 'Mirai Type' botnet based on their history of SSH scanning, were involved in this suspicious activity between March 23 and March 28. GreyNoise observed significant probing activity aimed at Palo Alto Networks’s PAN-OS GlobalProtect remote access portals, with nearly 24,000 unique IPs involved over the past 30 days. This scanning activity has been linked to patterns seen in past espionage efforts, which often precede the discovery of new vulnerabilities by a few weeks. GreyNoise and Palo Alto Networks are actively investigating the scans for potential impacts and necessary mitigations, urging customers to use updated software versions. The firms involved have been advised to alter default credentials to mitigate unauthorized access risks, although users report difficulties in creating new credentials.

North Korean threat actors, known as the Lazarus Group, have launched a campaign targeting job seekers in the cryptocurrency sector using a social engineering technique called ClickFix. The campaign, dubbed ClickFake Interview by Sekoia, employs fake job offers to distribute malware, specifically the previously undocumented GolangGhost backdoor. This malware campaign targets major centralized finance entities by impersonating reputable firms like Coinbase and Kraken, a shift from previous attacks that focused on decentralized finance. Job candidates are contacted through platforms such as LinkedIn, invited to download video conferencing software laden with malware, which facilitates the theft of cryptocurrency and sensitive data. The malware, triggered by an error message asking users to download a 'necessary' driver during a setup for a video interview, executes through scripts that steal browser data and system information. The Lazarus Group’s tactics also include a fraudulent IT worker scheme in Europe, where North Koreans pose as workers from various nationalities to infiltrate organizations and siphon funds. These activities represent a significant evolution and expansion of North Korea's cyber operations worldwide, aimed at generating revenue in violation of international sanctions.

The European Union has unveiled the ProtectEU plan which proposes to implement backdoors in encryption by 2026 to enhance law enforcement capabilities. EU's Executive Vice-President Henna Virkkunen stated that these changes are necessary as law enforcement is losing ground to criminals due to restricted access to essential data. Critics argue that creating backdoors in encryption could lead to vulnerabilities that might be exploited by unauthorized entities, including foreign governments. Coinciding with EU's plans, Switzerland is considering laws that will intensify surveillance, potentially causing privacy-centered firms like Proton to leave the country. The EU also intends to establish a Security Research & Innovation Campus by 2026 to explore the technical specifics of these proposals. The broader security strategy includes deploying quantum cryptography by 2030, bolstering Europol, and enhancing cloud and datacenter security against external threats. These initiatives are part of a comprehensive EU strategy to combat terrorism, organized crime, surging cybercrime, and attacks on critical infrastructure.

Artificial intelligence (AI) is increasingly used in business, enhancing capabilities but also enabling advanced cybercrime. Cybercriminals are exploiting AI to conduct sophisticated attacks, including customizing phishing scams, voice cloning, and data model manipulation. Traditional security strategies are becoming obsolete as AI-driven threats require new defenses. The webinar titled "AI Uncovered: Re-Shaping Security Strategies for Resilience in the Era of AI" by Zscaler aims to address these evolving security challenges. Diana Shtil, Senior Product Marketing Manager at Zscaler, will provide expertise on adapting cybersecurity measures in response to AI advancements. Attendees will learn proactive steps to update their security strategies, ensuring resilience against complex AI-powered attacks. The session is targeted at both cybersecurity professionals and business decision-makers. Early registration is encouraged for this timely event, which will broadcast next week, focusing on practical, actionable solutions.

AI implementation in enterprises is frequently stalled by significant security, legal, and compliance challenges. Regulatory uncertainty, documentation inconsistencies, and a lack of expertise in translating compliance into practical controls are main obstacles. Misconceptions about AI governance create additional barriers, such as the belief that entirely new frameworks are needed, contrary to the reality that existing security controls are largely applicable to AI systems. Continual AI-related compliance updates and the necessity for ongoing monitoring represent genuine needs within AI governance to address real risks. Effective AI governance should focus on technical controls addressing real risks rather than creating unnecessary roadblocks. Examples of successful AI governance include JPMorgan Chase's AI Center of Excellence, which uses risk-based assessments and standardized frameworks to expedite the AI adoption process. Collaboration from the beginning among security, compliance, and technical teams is crucial for successful AI adoption. Practical strategies for AI vendors include making data processing transparent and integrating seamlessly with existing security tools to facilitate compliance and enable innovation.

Disaster recovery is increasingly complex due to sprawling IT environments spread across various platforms including on-premises equipment, public clouds, SaaS, and third-party ITaaS providers. Ransomware has become the leading cause of system outages, surpassing natural disasters, highlighting the vulnerability of IT systems to cyber threats. Homogeneous and standardized IT environments aid more straightforward disaster recovery; diversifying across different public clouds and ITaaS providers introduces significant recovery challenges. Organizations using ITaaS are particularly at risk during outages, as they rely on third-party vendors who may not meet robust disaster recovery expectations. Ransomware attacks can cripple the operations of outsourced service providers, as seen with the NHS pathology services and several US healthcare providers, causing widespread operational disruptions. Disaster recovery plans must include specific strategies for cyber incidents, ensuring all third-party suppliers have robust, tested recovery procedures and immutable data backups. Effective disaster recovery requires stringent synchronization of environment changes, regular testing of failover and failback processes, and validated plans that cover direct impacts and collateral damage from third-party failures.

Google's Quick Share utility for Windows patched to rectify a vulnerability allowing unauthorized file transfers and potential DoS attacks. The vulnerability, identified as CVE-2024-10668 with a CVSS score of 5.9, permits silent file transmission without user consent. This flaw was part of a group of 10 vulnerabilities, initially reported in August 2024, which could potentially allow arbitrary code execution on Windows hosts. Despite initial fixes, follow-up analysis revealed two vulnerabilities remained unaddressed, leading to application crashes and bypassing of user permissions for file acceptance. The DoS vulnerability is triggered by specific invalid UTF8 continuation bytes in the file name, causing the application to crash. The unauthorized file write vulnerability was initially mitigated by marking affected files as "unknown" and deleting them post-transfer, though this was bypassed by sending two files with the same payload ID in one session. The implications of these vulnerabilities are significant for the software industry, emphasizing the need for thorough resolution of underlying issues rather than superficial fixes.

Over 2,600 devices globally have been infected by a new version of Triada malware, predominantly in Russia. Triada, a modular Android malware, acts as a remote access trojan (RAT) capable of stealing sensitive information and integrating devices into a botnet. Historically, Triada spread through apps on the Google Play Store and mods on WhatsApp, but has now been found pre-installed in counterfeit smartphone’s system framework. The malware has evolved to exploit hardware supply chains and third-party developers, enabling remote control and further malware injection during device manufacturing stages. In 2019, Google identified a compromised vendor, potentially introducing malware during development of additional features like face unlock. Recent Kaspersky analysis highlighted that the latest Triada version allows threat actors comprehensive access to infected devices. The revised Triada variant has accrued about $270,000 in cryptocurrencies through its malicious activities from mid-2024 to early 2025. Discovery coincides with identification of other dangerous Android banking trojans targeting financial apps, showcasing an ongoing trend in sophisticated Android malware campaigns.

Britain's Royal Mail and Samsung Germany have been targeted by cybercriminals, with large sets of customer data purportedly stolen. The hacker group GHNA claims responsibility, having allegedly accessed the data through a compromised supplier, Spectos GmbH. Royal Mail confirmed ongoing investigations with Spectos to determine the extent of any data impact. Royal Mail operations remain unaffected. Information stolen includes names, addresses, phone numbers, and service details, along with Mailchimp mailing lists and WordPress databases. Samsung incident involves around 270,000 customer service tickets with detailed customer and purchase information. Cybersecurity experts link the breach to a previous Raccoon malware infection at Spectos that leaked employee login credentials. The incidents raise significant concerns over potential real-world threats to customers through targeted fraud or theft.

A web skimmer campaign exploits legacy Stripe API to verify stolen payment card details, increasing operational efficiency. Researchers from Jscrambler identified the campaign impacting an estimated 49 merchants, with ongoing activity traced back to at least August 2024. The skimmers intercept payment data on websites by mimicking legitimate payment interfaces, disguising the fraudulent operations. Fifteen affected merchants have addressed and removed the malicious scripts from their sites. The campaign primarily targets vulnerabilities in platforms like WooCommerce, WordPress, and PrestaShop to inject the skimming code. Malicious domains serve as the initial distribution points for the JavaScript skimmer, which then overlays legitimate Stripe payment forms. The attackers also experimented with skimmer scripts that impersonate other payment providers and offer transactions in various cryptocurrencies. This sophisticated strategy not only helps evade detection but ensures high-value data theft by predetermining the validity of card details.