Daily Brief

Ukraine’s CERT-UA has issued warnings about spear-phishing attacks targeting the country's defense sector and military personnel using compromised Signal accounts. The attacks involve sending malware-laden Signal messages masked as meeting reports from known contacts, increasing the likelihood of the targets engaging with the malicious content. Enclosed in the messages are archives containing a PDF that acts as a decoy and an executable file, which when launched, deploys the DarkTortilla cryptor/loader. The executable subsequently decrypts and executes Dark Crystal RAT (DCRAT), a remote access trojan that poses severe security threats. These attacks are part of the UAC-0200 threat cluster, which has been using Signal for similar purposes since June 2024, with a notable pivot in February 2025 to topics like UAVs and electronic warfare. Recommendations for Signal users include disabling automatic downloads of attachments, regularly monitoring linked devices, updating the app, and enabling two-factor authentication to enhance security. This spear-phishing campaign highlights an escalation in cyber espionage tactics focusing on military technology and strategic assets.

IBM has disclosed two critical vulnerabilities in its AIX operating system, urging immediate patching. The vulnerabilities, identified as CVE-2024-56346 and CVE-2024-56347, scored 10 and 9.6 respectively, indicating severe risk potential. These security flaws allow remote attackers to execute arbitrary commands due to improper process controls. Affected versions include AIX 7.2 and 7.3, primarily used in critical infrastructure within finance, healthcare, and telecoms. The more severe vulnerability, CVE-2024-56346, affects the NIM service, crucial for OS installations and could be exploited without user interaction. Exploitation could lead to data theft, ransomware attacks, and significant disruption in vital services. IBM has not provided detailed vulnerability specifics or exploitation methods, emphasizing the critical need for patching without delay. No temporary mitigations are available; applying patches is mandatory given the software's role in essential industry applications.

Arcane, a newly identified infostealer malware, exploits game cheats and cracks on platforms like YouTube and Discord to compromise user data. Unlike its namesake, Arcane Stealer V, this new malware shows no code similarities or direct connections to its predecessor. The malware operates by deceiving users into downloading malicious files through fake game cheats, subsequently disabling Windows Defender to avoid detection. Most infections have been reported in Russia, Belarus, and Kazakhstan, which is unusual given that Russian-based cyber actors generally avoid attacking these regions. Arcane targets information from VPNs, gaming platforms, messaging applications, and web browsers, extracting sensitive data such as account credentials and Wi-Fi passwords. Recent developments in the malware's distribution include ArcanaLoader, an allegedly legitimate downloader for popular game cracks promoted across social media. Kaspersky emphasizes the extensive data theft achieved by Arcane, making it a significant threat among infostealers. The report warns of the severe consequences of infostealer infections, including financial fraud and the substantial effort required to mitigate damage post-attack.

WhatsApp fixed a zero-day vulnerability that allowed Paragon's Graphite spyware to be installed without user interaction. Citizen Lab informed WhatsApp of the zero-click exploit, leading to the identification and patching of the flaw. Approximately 90 Android users, including Italian journalists and activists from over 24 countries, were notified of the spyware targeting their devices. The spyware enabled operators to access other apps and messaging applications on the compromised devices. Forensic analysis identified a traceable artifact on infected Android devices, aiding detection of the Graphite spyware. Citizen Lab also uncovered server infrastructure linked to Paragon’s government customers, potentially implicating multiple countries. Paragon Solutions, the Israeli firm behind Graphite, claims it restricts its market to law enforcement and intelligence sectors in democratic nations. Reports indicate significant contracts of Paragon with US agencies such as DEA and ICE for utilizing Graphite spyware.

Threat actors are leveraging a critical PHP vulnerability (CVE-2024-4577) to install cryptocurrency miners and Quasar RAT on Windows systems. This security flaw allows remote code execution on systems operating PHP in CGI mode. Most exploitation attempts have been observed in Taiwan, Hong Kong, Brazil, Japan, and India. About 30% of attacks involve pre-deployment activities, including system reconnaissance and vulnerability checks. Bitdefender detected campaigns deploying XMRig and Nicehash miners by masquerading the processes under legitimate-sounding names. Some attacks also aim to alter firewall settings to block known malicious IPs, suggesting competition among cryptomining groups. Users and organizations are urged to update their PHP versions and restrict the use of powerful tools like PowerShell to administrators to mitigate risks.

Despite major investments in security solutions, phishing attacks continue to be a significant problem, evading traditional email-based defenses. In 2024, identity-based attacks, predominantly via phishing or stolen credentials, accounted for 80% of initial access breaches; 69% of organizations reported phishing incidents. Modern phishing techniques, such as Adversary-in-the-Middle (AitM) phishing kits, effectively bypass Multi-Factor Authentication (MFA) and mimic legitimate login portals to intercept user credentials. Current defenses like known-bad blocklists and sandbox environments fall short as attackers constantly modify URLs, use legitimate services, and employ evasion techniques against automated detections. Traditional email-based phishing protections are proving insufficient against sophisticated phishing schemes that exploit multiple platforms beyond just email. Push Security offers a browser-based identity security solution that provides real-time detection and prevention of phishing attacks directly within user's browsers. The solution demonstrated higher effectiveness in detecting and blocking phishing attempts by monitoring live webpages and intercepting malicious activities before damage can occur.

Leaked internal chat logs tie the Black Basta ransomware group to possible Russian governmental support. Over 200,000 messages published on Telegram by @ExploitWhispers detail interactions among cybercriminals from September 2023 to 2024. Cybersecurity firm Trellix identified that Oleg Nefedov, alleged leader of Black Basta, was assisted by Russian officials to escape custody in Armenia in June 2024. Nefedov reportedly used high-level contacts to facilitate his escape through a "green corridor." The leak complicates Black Basta's operations, as it reveals deep insights into their methods and connections, hindering their ability to rebrand or start anew. Further disclosures show Black Basta developing a brute-forcing tool called BRUTED for attacks on network edge devices, highlighting significant investment in cyberattack capabilities. The BRUTED tool is employed for large-scale internet scanning and credential stuffing, aimed at infiltrating corporate networks.

General Paul Nakasone, former leader of US Cyber Command and the NSA, expressed concerns over the US's week-long pause on sharing cybersecurity intelligence with Ukraine. Nakasone spoke at the Wall Street Journal Tech Live Cybersecurity event, highlighting the significant advantages derived from U.S. intelligence-sharing with allies. He pointed out that Europe and the Five Eyes nations (Australia, Britain, Canada, and New Zealand) are capable but would struggle to match the comprehensive cyber-threat information provided by the U.S. The temporary halt in U.S. intelligence sharing, once considered unthinkable, has become a real possibility under recent policy changes by President Donald Trump. These abrupt alterations in U.S. foreign policy, including suspending military aid to Ukraine, have increased pressure on European nations to bolster military support for Ukraine. Concerns have escalated among international partners regarding the reliability and safety of sharing intelligence with the U.S., especially given its recent unpredictable foreign policy decisions.

The upcoming webinar titled "How to Eliminate Identity-Based Threats" aims to educate on proactive security measures. Featured speakers include Beyond Identity experts Jing Reyhan and Louis Marascio. The session will focus on cutting-edge strategies to prevent phishing, adversary-in-the-middle attacks, and more. Participants will learn how a secure-by-design access solution can pre-emptively block various identity-based attacks. Aimed at transforming traditional reactive security approaches to proactive strategies. The webinar is designed for a diverse audience, requiring no prior technical expertise. Registration is encouraged for those looking to enhance their organization's security posture. The event is an opportunity to drastically reshape how security is managed within organizations.

The ClearFake malware campaign employs fake reCAPTCHA and Cloudflare Turnstile lures on infected websites to trick users into downloading malware. Initially detected in July 2023, ClearFake targets both Windows and macOS systems with info-stealing malware such as Lumma Stealer and Vidar Stealer. Advanced techniques like EtherHiding utilize Binance Smart Chain contracts to fetch payloads, evading detection and making the attack chain robust. As of May 2024, ClearFake introduces ClickFix—a deceptive tactic prompting victims to execute malicious PowerShell code, mimicking technical issue fixing. The campaign has compromised at least 9,300 websites worldwide, continuously updating its lures and payloads. Advanced social engineering and Web3 technologies fingerprint victim systems and facilitate malware delivery through multi-stage attack vectors. Recent findings in January 2025 show an alternate attack chain using a PowerShell loader to install Vidar Stealer. Over 100 auto dealerships' third-party video services were compromised, spreading SectopRAT malware, highlighting the risk of supply chain attacks.

Identity-based cyber attacks are escalating, targeting SaaS environments through compromised credentials and misused privileges. Traditional threat detection tools such as XDRs and EDRs are insufficient as they do not fully cover SaaS applications, leaving significant vulnerabilities. Effective SaaS Identity Threat Detection and Response (ITDR) must provide comprehensive coverage to counteract these identity threats effectively. ITDR solutions should be identity-centric, focusing on detecting and correlating abnormal activities per identity, rather than merely listing security events chronologically. Enhanced threat intelligence capabilities are crucial for detecting sophisticated, previously undetectable threats. Prioritization within ITDR systems helps mitigate alert fatigue by focusing on genuine, critical threats, improving overall security response. Integrations in ITDR systems should promote automated workflows, boosting efficiency and minimizing the operational burden on security teams. Incorporating SaaS Security Posture Management (SSPM) alongside ITDR equips organizations with robust first-line defenses, minimizing potential attack surfaces.

Research conducted by scientists across multiple institutions shows that large language models (LLMs) often replicate bugs in the code they are completing. During tests using code snippets from the Defects4J dataset, revered AI models like OpenAI’s GPT series and Google’s Gemma continued the errors instead of correcting them. LLMs like GPT-4 generated error-ridden code nearly as often as correct code, underpinning the challenges in AI-driven code completion. An alarming 44.44% of the reproduced bugs by these models were identical to historical bugs, with OpenAI’s GPT-4o hitting a reproduction ratio of 82.61%. Some models demonstrated less dependency on historical errors, indicating variations in how different LLMs handle bug replication. The efficiency and reliability of these models decreased notably when dealing with method invocation and return statements, as opposed to simpler syntax tasks. Further research is urged to improve AI’s understanding of code semantics and syntax and to refine error detection and handling in development tools. The study highlights significant limitations in current AI capabilities concerning complex code dependencies and error memorization.

Two critical vulnerabilities found in mySCADA myPRO could allow complete system takeover. The flaws, rated 9.3 on the CVSS v4, permit command injection and arbitrary code execution. Issues arise from the system’s failure to properly sanitize user inputs. Exploitation risks include operational disruptions, financial losses, and safety hazards. PRODAFT underscores the persistent security concerns in SCADA environments. Immediate actions advised include applying the latest patches and enhancing network segmentation. Organizations should also enforce strong authentication and monitor for any suspicious activities.

CISA has identified an actively exploited vulnerability in the GitHub Action, tj-actions/changed-files, adding it to the KEV catalog. The vulnerability, labeled CVE-2025-30066 with an 8.6 severity score, involves injection of malicious code for unauthorized sensitive data access. Attackers exploited this vulnerability to steal secrets such as AWS keys, GitHub tokens, npm tokens, and RSA keys from action logs. The attack originated from a compromised GitHub Action, reviewdog/action-setup@v1, which subsequently affected tj-actions/changed-files. This incident is considered part of a larger cascading supply chain attack, posing significant security risks to CI/CD workflows. Users, especially federal agencies, are urged to update tj-actions/changed-files to version 46.0.1 by April 4, 2025, and consider security measures like rotating exposed secrets and pinning GitHub Actions to specific commits. The compromise highlights the risks in increasing the contributor base without stringent access controls, raising concerns over the security of GitHub repositories.

California Cryobank detected suspicious activity in their network on April 21, 2024, which led to the confirmation of a data breach. Unauthorized access occurred between April 20 and April 22, 2024, potentially compromising personal customer data. Exposed personal data may include names, Social Security numbers, driver’s licenses, bank account details, payment card numbers, and health insurance information. The breach impacts the largest sperm bank in the US, which services all 50 states and over 30 countries. California Cryobank is offering free one-year credit monitoring to affected individuals and has implemented additional security measures post-breach. The exposure of donor ID numbers raises significant privacy concerns, particularly given the anonymity generally associated with sperm donation. The company has not confirmed if donor ID numbers were among the exposed data.