Daily Brief

Discovery of five critical vulnerabilities in the Ingress NGINX Controller for Kubernetes, capable of unauthenticated remote code execution. Over 6,500 Kubernetes clusters exposed to public internet, with these vulnerabilities codenamed IngressNightmare by Wiz. The vulnerabilities allow attackers to gain unauthorized access to all Kubernetes cluster secrets, potentially leading to total cluster control. Specifically affects the admission controller component allowing attackers to inject arbitrary NGINX configurations and execute code. Approximately 43% of cloud environments using this technology are vulnerable. A possible attack method includes uploading a malicious payload via the client-body buffer feature and using an AdmissionReview request to trigger remote code execution. Fixed versions (1.12.1, 1.11.5, 1.10.7) have been released, with recommendations for users to update immediately and secure the admission webhook endpoint.

Ukrzaliznytsia, Ukraine's national railway operator, was struck by a significant cyberattack, disrupting online ticket services. The attack caused the website and mobile apps to malfunction, forcing passengers to purchase tickets at physical locations, resulting in overcrowded stations and extended waiting times. The railway's operational activities, including train schedules and traffic, remained unaffected thanks to the implementation of backup protocols previously established in response to past attacks. Military personnel were allowed to buy tickets directly on trains to prevent any disruption in their movements, while civilians were advised to use previously emailed PDF copies of their tickets. Despite the online platform issues, train operations continued without delays, demonstrating resilience against the strategic cyberattack. Ukrzaliznytsia is collaborating with the SBU Cyber Department and CERT-UA to address security vulnerabilities and restore full functionality, though no specific recovery timeline has been provided. The cyberattack was described as "highly systematic and multi-layered," highlighting the complexity and possibly the involvement of a nation-state actor.

ISPs globally reported DrayTek routers experiencing boot loops and connectivity issues starting Saturday night. The disruption affected multiple models of DrayTek routers and ISPs identified both cyber attacks and a problematic firmware update as potential causes. The affected devices presented issues like intermittent connectivity and automatic reboot cycles, heavily impacting Internet services. ISPs such as Gamma, Zen Internet, ICUK, and A&A in the United Kingdom and others internationally urged users to install the latest firmware or replace their routers. DrayTek advised customers to disable SSLVPN/Remote Access features and switch off VPN functionalities until the devices are securely updated. In addition to firmware updates, DrayTek provided ISPs with specific measures to restore connectivity but has not yet defined the definitive cause of the connection losses. Previously, in October, DrayTek resolved critical security flaws affecting over 700,000 devices, illustrating ongoing security challenges with their router models.

The advanced persistent threat group, Weaver Ant, linked to China, infiltrated an Asian telecommunications provider's network for over four years. They used compromised Zyxel CPE routers and variants of the China Chopper backdoor along with a custom web-shell named ‘INMemory’ for covert operations. The group leveraged web shell tunneling to create a hidden command-and-control network, allowing them to control and execute payloads within segmented parts of the network. Techniques included encryption, passive network traffic capture, and exploitation of high-privileged accounts with static passwords to avoid detection and maintain persistent access. Weaver Ant’s tactics also involved disabling logging mechanisms and employing anti-malware scanning bypass techniques to remain undetected. The primary objectives appeared to focus on network intelligence and credential harvesting, characteristic of state-sponsored espionage rather than direct financial theft. Cybersecurity firm Sygnia suggests improving internal network traffic monitoring, detailed logging, applying the principle of least privilege, and frequent credential rotation to defend against such threats.

Microsoft announced new features for Edge for Business, aimed at preventing data leaks into consumer GenAI apps like OpenAI ChatGPT. Inline data protection in Edge will block sensitive corporate data from being entered into external web applications. The features are integrated into Microsoft Purview’s data loss prevention controls which are now generally available. Increased security in Microsoft Teams to improve defense against phishing and ransomware attacks via enhanced team collaboration security settings. Real-time detonation technology to analyze and neutralize malicious content before it reaches the end user. Expansion of Security Copilot with 11 new agentic solutions, focusing on data breach analysis, threat prioritization, and compliance improvements. New capabilities allow automation of routine security processes, aiding human security teams in managing more complex threats effectively. Enhanced user and domain management controls to protect against malicious interactions and improve organizational security posture.

A severe vulnerability in Next.js, identified as CVE-2025-29927, allows attackers to bypass authorization checks by manipulating request headers. The flaw exploits the 'x-middleware-subrequest' header, enabling requests to bypass middleware security functions and reach destination paths directly. Next.js is extensively used with over 9 million weekly downloads, and is employed by major platforms like TikTok, Twitch, and Netflix. The vulnerability impacts versions of Next.js prior to 15.2.3, 14.2.25, 13.5.9, and 12.3.5, with a strong recommendation for users to update to newer versions. CVE-2025-29927 only affects self-hosted Next.js applications that use 'next start' with 'output: standalone'; applications hosted on platforms like Vercel are not affected. In cases where immediate patching is not feasible, blocking external requests that include the 'x-middleware-subrequest' header is advised as a temporary measure.

'Operation Red Card' led by INTERPOL resulted in the arrest of 306 individuals across Africa, targeting cross-border cybercriminal networks. The operation was conducted between November 2024 and February 2025, during which 1,842 devices linked to various online scams were seized. Authorities collaborated internationally, exchanging criminal intelligence and utilizing data from private sector partners like Group-IB, Kaspersky, and Trend Micro to enrich their insights. Significant arrests included 130 in Nigeria for investment fraud and online casino scams and 40 in South Africa linked to SIM box fraud operations. Zambian police detained 14 individuals involved in a cybercrime gang that hacked phones to spread malware and control victims' banking apps. In Rwanda, 45 suspects were arrested in connection with social engineering scams, accumulating over USD 305,000 from victims in 2024. The operation underscores the effectiveness of international cooperation in tackling cybercrime, which can have severe impacts on global communities and economies. The success of 'Operation Red Card' follows other significant INTERPOL-coordinated efforts in Africa such as 'Operation Serengeti' and 'Operation Africa Cyber Surge II.'

Microsoft's Security Copilot now includes 11 task-specific AI agents designed to enhance interactions with security products like Defender, Purview, Entra, and Intune. The AI agents use generative AI to automate routine tasks and summarize high-volume data, such as phishing warnings and threat alerts, helping prioritize critical security issues. Initial use of Security Copilot has led to significant improvements in response times to security incidents, with up to a 30 percent reduction in mean time to respond. The AI agents are continually learning and evolving, requiring minimal human input to refine their operations, based on individual feedback. Despite the AI’s capabilities, human oversight remains necessary, particularly in distinguishing false positives in phishing triage and applying context-specific decisions. Corporate partners and Microsoft continue developing safeguards against potential AI errors, including measures to prevent cross-prompt injections and hallucinations. Use cases shared at the event underscored the practical applications and benefits of AI in handling complex security and privacy compliance tasks across various regulations.

VanHelsing, a new ransomware-as-a-service (RaaS) operation, began its malicious activities on March 7, 2025, and has already claimed three victims. It utilizes a dual attack approach involving data theft before encryption, subsequently threatening to release stolen data unless a ransom is paid. The service appeals to a broad range of cybercriminals by providing a user-friendly control panel accessible on multiple devices and operating systems, including Windows, Linux, and more. Entry into the VanHelsing RaaS program requires a $5,000 deposit for new affiliates, while established partners may join for free, with affiliates typically retaining 80% of any ransom collected. The ransomware specifically avoids targeting the Commonwealth of Independent States (CIS), following a common practice in the cybercrime ecosystem to not attack entities within these nations. VanHelsing encrypts files, customizes them with a ".vanhelsing" extension, alters desktop wallpapers, and displays a ransom demand, pushing victims to pay in Bitcoin. CYFIRMA reports that the manufacturing, government, and pharmaceutical sectors in the U.S. and France are among those impacted by these ransomware attacks. This trend aligns with a global increase in ransomware incidents, with February 2025 cited as a record month of 962 attacks, signaling a spike in remote encryption tactics by cybercriminals.

23andMe initiated Chapter 11 bankruptcy proceedings in the Eastern District of Missouri, citing financial challenges and legal liabilities from a significant 2023 cyberattack. The company plans to sell its assets under court supervision, aiming to maximize value and address its operational and financial obstacles. Court-approved debtor-in-possession financing secures $35 million to fund operations and maintain payments to staff and vendors during the asset sale process. CEO Anne Wojcicki stepped down but will remain on the board; faced with ongoing financial instability and failed attempts to take the company private. 23andMe has struggled financially since its inception in 2006, never achieving profitability, with its recent cyberattack exacerbating its financial insecurity. The bankruptcy filing will handle the resolution of a $30 million settlement from a class-action lawsuit due to the data breach, underscoring the cyberattack's severe impact. California's attorney general has advised state residents to manage their personal data with 23andMe proactively, reflecting heightened data privacy concerns. Despite the bankruptcy and leadership change, 23andMe will continue to operate normally until the asset sale is concluded.

The Acronis Threat Research Unit analyzed security for over 300,000 Microsoft 365 seats, revealing substantial vulnerabilities. Despite Microsoft's built-in security features, the sole reliance on these measures exposes backups to attacks. Detected malicious elements indicate that Microsoft 365's native security is insufficient against modern cyber threats. Persistent threats within the backup data could lead to repeated system re-infections and ongoing security breaches. Microsoft’s "shared responsibility" model emphasizes user accountability for securing data within the cloud infrastructure. The study highlights the necessity for organizations to adopt comprehensive third-party security solutions to bolster defenses. Recommendations for Managed Service Providers (MSPs) and IT teams include implementing a full spectrum of security measures to maintain business continuity and resilience.

The U.S. Treasury Department recently reversed sanctions on Tornado Cash, a cryptocurrency mixer originally sanctioned for laundering over $7 billion, including funds from North Korea's Lazarus Group. Despite lifting sanctions, the U.S. continues to express significant concerns about the misuse of Tornado Cash and the ongoing state-sponsored cyber activities primarily from North Korea. The decision to lift sanctions follows a federal appeals court ruling challenging the Treasury’s authority to ban the crypto mixer’s smart contracts. Two co-founders of Tornado Cash faced indictments in the U.S. for facilitating criminal proceeds, with one still on the FBI's wanted list. This policy reversal aligns with broader changes in the administration's approach to cryptocurrency regulation, including SEC discussions on applying securities laws to digital assets. The U.S. Securities and Exchange Commission (SEC) opted not to appeal a legal decision favoring Ripple Labs in a significant case about the classification of cryptocurrencies, affecting XRP's market value positively. Bipartisan political support grows around cryptocurrency regulation, evidenced by discussions and updates to the GENIUS Act concerning stablecoins. The U.S. remains vigilant in monitoring crypto transactions that could support malign actors or benefit DPRK, with a continued focus on using legal powers to disrupt these activities.

A manipulation in an open-source GitHub tool led to a widespread supply chain compromise, initially targeting a Coinbase project. The subsequent campaign leaked crucial CI/CD secrets across numerous repositories, suspected to be a financially motivated attack aimed at cryptocurrency theft. A new comprehensive malware is silently capturing passwords, cryptocurrency information, and taking over systems while remaining undetected. Over 300 Android applications were discovered conducting ad fraud, disguising their malicious activities behind regular app icons. Ransomware groups are enhancing their methods by utilizing stolen drivers to disable security systems. Recent transitions include threat groups moving from activism to for-profit activities, and trusted browser extensions being converted into tools for cyber attacks. Both attackers and defenders are increasingly adopting AI technologies to advance their tactics amidst this evolving cyber threat landscape. Critical security advisories urge prompt updates to prevent exploitation, highlighting vulnerabilities in software ranging from infrastructure management to content management systems.

Two malicious extensions in the Visual Studio Code (VSCode) Marketplace were discovered deploying early-stage ransomware. The extensions, named "ahban.shiba" and "ahban.cychelloworld," have been removed by marketplace maintainers after the discovery by ReversingLabs. The malicious code within these extensions was designed to execute a PowerShell command which fetched and ran a ransomware script from a remote server. The ransomware targeted files in a specific desktop folder ("testShiba"), encrypting them and demanding ransom in ShibaCoin. Indications suggest the ransomware was under development, evident from the lack of complete ransom details provided to victims. This incident follows the reporting of malicious Zoom-like extensions and a malicious Maven package that exfiltrates OAuth credentials periodically. Attackers employed typosquatting tactics to enhance the perceived legitimacy of their malicious offerings, potentially misleading developers to integrate these into projects.

Most users prefer seamless user experiences over stringent security protocols, often compromising password security. High user friction can lead to non-compliance with security measures, increasing cyber risk through behaviors like password reuse or sharing. Effective user experience (UX) designs in security protocols can enhance compliance and minimize disruptions, improving overall cybersecurity. Implementing user-friendly password policies, such as promoting passphrases over complex passwords, can improve security and usability. Providing dynamic feedback during password creation and handling forced resets gracefully can help reduce user frustration. Security teams should consider password aging strategies that adjust required changes based on password strength, optimizing both security and UX. The adoption of nuanced password policies can help organizations maintain robust security while improving user satisfaction and compliance.