Daily Brief

CISA recently reinstated staff terminated during their probationary period but placed them on paid administrative leave following a federal judge's ruling. The decision to bench the reinstated employees stems from ongoing legal proceedings challenging the legality of the broad federal layoffs initiated by the DOGE unit. About 25,000 federal workers nationwide were impacted by the layoffs, with a portion from CISA that has been temporarily reinstated. The reinstatement order came after a judge deemed the dismissals unlawful, affecting workers terminated since January 20, 2025. Reinstated employees remain on paid leave and are not allowed to work until the legal disputes are resolved. The efficiency of CISA has been questioned, as it now pays staff unable to perform their duties amidst the legal battles. The situation continues to evolve, with the potential for further adjustments based on the outcomes of the ongoing court cases.

A GitHub Action named "reviewdog/action-setup@v1" was initially compromised, triggering a supply chain attack. The attack led to the breach of "tj-actions/changed-files," resulting in the leakage of CI/CD secrets across 23,000 repositories. Malicious code was placed in GitHub Actions to write secrets to publicly visible logs, risking exposure of sensitive data if accessed. The breach entry point was suspected to be a compromised GitHub personal access token (PAT), specifically from a bot using another action. Wiz cybersecurity researchers suggested the compromised "reviewdog" action potentially led to the unauthorized access and further breaches. The security flaw exposed by the attackers could reoccur if not addressed, as similar actions remained vulnerable to this type of attack. Recommendations for affected projects include running specific GitHub queries, removing compromised actions, deleting logs, and rotating secrets. Enhanced security measures proposed include pinning GitHub Actions to commit hashes and using allow-lists to limit actions' scope.

Western Alliance Bank has informed 21,899 customers of a data breach resulting from a compromised third-party vendor's software in October. The breach exploited a zero-day vulnerability in secure file transfer software, which was not named in the notifications, leading to unauthorized access to personal customer data including Social Security numbers and financial account details. The attackers managed to exfiltrate files containing sensitive customer information from October 12, 2024, to October 24, 2024. Western Alliance concluded its analysis of the stolen data on February 21, 2025, confirming the breach of personal information. There is no current evidence that the exposed data has been used for fraud or identity theft, although customers are being offered one year of free credit monitoring through Experian IdentityWorks Credit 3B. The data breach was part of a broader series of attacks by the Clop ransomware gang, exploiting a known vulnerability in Cleo’s widely used data transfer software, affecting potentially thousands of other organizations. Clop ransomware was also responsible for deploying a JAVA backdoor called "Malichus" in some instances of the compromised software, further complicating the security landscape for affected companies.

The IT unemployment rate in the US has slightly decreased from 5.7% to 5.4%, according to recent data from Janco Associates. Despite the overall decrease in unemployment, the total number of IT jobs slightly contracted, shedding about 9,100 positions so far this year. Economic uncertainties and rapid policy changes under the Trump administration are poised to affect future IT hiring negatively. The CompTIA report highlights a lower-than-national average unemployment rate for tech professionals at 3.3%, but warns of mixed job market signals ahead. Federal Government job cuts under Elon Musk’s Department of Government Efficiency have created additional uncertainty, particularly for government IT professionals. The demand for AI skills is booming, with job listings requiring AI expertise more than doubling year-over-year in February. Questions continue about the long-term impact of tariffs, tax policies, and global conflicts on the tech job market.

Over 300 Android applications identified as malicious were downloaded 60 million times from Google Play, engaging in adware activities and phishing attacks. IAS Threat Lab named this operation "Vapor," with activities recorded since early 2024; Bitdefender's report expanded the malicious app count to 331. The malware campaign is characterized by the use of utilities like health apps and QR scanners, which contain hidden malicious functionalities activated after installation. Malicious functions include hiding app icons post-installation and creating overlays to display ads or fake login screens to harvest credentials and financial information. Despite removal from Google Play, the risk of these apps reappearing remains high as operators have previously circumvented Google's app review processes. Users are advised to scrutinize app permissions rigorously and remove any suspicious apps immediately, while running comprehensive security scans. Key infectious regions include Brazil, the United States, Mexico, Turkey, and South Korea, reflecting the malware's widespread impact.

Since 2017, at least eleven state-backed hacker groups from countries like North Korea, Iran, Russia, and China have been exploiting a newly discovered Windows zero-day vulnerability. This vulnerability, identified by security researchers and internally tracked as ZDI-CAN-25373 by Trend Micro's Zero Day Initiative (ZDI), allows attackers to execute arbitrary code on affected Windows systems through manipulated shortcut (.lnk) files. Despite significant evidence of its exploitation in cyber espionage and data theft, Microsoft has decided not to issue a security patch for this vulnerability, asserting that it does not meet their criteria for servicing. The flaw is primarily used in espionage, with nearly 70% of the identified attacks focused on information theft; financial motives were secondary, constituting about 20% of the cases. The exploit conceals malicious command-line arguments within .LNK files using padded whitespaces, making them invisible in the Windows UI and undetectable to users inspecting the files. The campaigns leveraging this vulnerability have targeted a wide geographical range, including North America, South America, Europe, East Asia, and Australia, affecting various sectors. Diverse malware payloads and loaders, such as Ursnif, Gh0st RAT, and Trickbot, have been deployed through the exploitation of this flaw, further complicated by the use of malware-as-a-service (MaaS) platforms.

Google has entered into a definitive agreement to acquire Wiz, a cloud security platform, for $32 billion in cash. Wiz, established in 2020, has rapidly grown to be a significant player in the cybersecurity industry, specializing in cloud service security. The platform allows seamless integration with major cloud providers such as AWS, Microsoft Azure, and Oracle Cloud, enhancing enterprise ability to detect and manage security risks from a unified dashboard. This acquisition marks Google's largest to date, underscoring its strategic emphasis on enhancing cybersecurity infrastructure within cloud computing. Assaf Rappaport, CEO of Wiz, emphasized the deal’s potential to make advanced cybersecurity more accessible across various cloud environments. Industry observers note the acquisition comes amidst rising cybersecurity threats targeting cloud platforms for data theft and espionage. Once the acquisition is finalized, Wiz will integrate into Google Cloud Security’s portfolio, adding to Google's recent acquisitions like Mandiant. The transaction awaits regulatory approval and is expected to conclude in 2026.

Cybersecurity experts have unveiled a new type of supply chain attack called Rules File Backdoor that targets AI-powered code editors like GitHub Copilot and Cursor. This attack manipulates AI code editors to inject harmful code by altering rule files, which guide the AI's coding suggestions. Attackers use hidden unicode characters and complex evasion methods to embed malicious directives within these configuration files, deceiving the AI into generating compromised code. This technique causes the AI to inadvertently create security vulnerabilities or backdoors within otherwise normal code, bypassing traditional code review processes. The exploitation of these AI tools poses a significant supply chain threat, as the tampered code can spread across projects and persist through software forks, impacting downstream software dependencies. Both Cursor and GitHub have responded by advising users to diligently review and verify all AI-generated code suggestions. The potential impact of this vulnerability is vast, potentially affecting millions of end-users by propagating compromised software through trusted development tools.

A critical vulnerability in American Megatrends International's MegaRAC BMC software allows remote attackers to hijack and potentially brick servers. The flaw, identified as CVE-2024-54085, affects software that provides remote system management for various server vendors serving cloud and data center providers. Attackers can exploit the vulnerability without needing user interaction, using Redfish remote management interfaces. Potential impacts include remote malware deployment, firmware tampering, physical server damage, and unstoppable reboot loops. Eclypsium researchers, who identified the vulnerability, have found over 1,000 potentially exposed servers using Shodan. Previous vulnerabilities within the MegaRAC ecosystem were revealed, highlighting ongoing security challenges. Immediate application of patches released by AMI, Lenovo, and HPE is critical to mitigate risks. Continuous server log monitoring and limiting AMI MegaRAC online exposure are recommended to enhance defense mechanisms.

An eight-year-old Windows shortcut (.LNK) exploit has been continually used for spying, primarily by North Korea, Russia, and China. Microsoft has not fixed the issue, classifying it as a UI problem rather than a security vulnerability, suggesting a fix may come in a future OS update. The exploit involves .LNK files that, while appearing legitimate, contain malicious commands hidden within excessive whitespace, making them hard to detect visually. Trend Micro's Zero Day Initiative identified and reported nearly 1,000 cases of these tampered files but suggests the actual number could be higher. Victims predominantly include government entities, with significant attacks also on the private sector, financial institutions, and telecommunications. About 70% of the identified attacks were for espionage, with a further 20% aimed at financial goals. The exploit allows local code execution which, when combined with a privilege escalation flaw, could lead to full system compromise.

Google has announced its largest acquisition yet, purchasing cloud security company Wiz for $32 billion in cash. The acquisition aims to accelerate advancements in cloud security and support multicloud operations consistent with emerging AI-driven trends. Google Cloud CEO Thomas Kurian highlighted the purchase would foster multicloud cybersecurity adoption and stimulate competition in cloud computing. Wiz will remain an independent entity serving various cloud platforms including AWS, Azure, and Oracle, ensuring its multicloud capabilities. This strategic move follows Google’s history of security-oriented acquisitions, such as Mandiant in 2019 and Siemplify in 2022. The deal is still pending regulatory approval.

An unpatched vulnerability in Microsoft Windows has been exploited by 11 state-sponsored groups from countries including China, Iran, North Korea, and Russia since 2017. This zero-day flaw, identified as ZDI-CAN-25373, is found in handling Windows Shortcut files (.LNK) which allows execution of hidden malicious commands. Almost 1,000 malicious .LNK files utilizing this vulnerability have been discovered, linked primarily to groups such as Evil Corp and Kimsuky. The exploitation tactics involve padding the command line arguments within .LNK files with special characters to avoid detection. Targeted entities span across sectors and global regions, including governments, military, financial organizations, and think tanks in the US, Canada, Russia, South Korea, Vietnam, and Brazil. The discovered .LNK files have been used to deliver notorious malware like Lumma Stealer, GuLoader, and Remcos RAT. Despite the extensive use and significant impact, Microsoft has rated this issue as low severity and does not plan to issue a remedy. The exploitation highlights potential collaboration among North Korean cyber threat groups and signifies a severe risk of data theft and espionage.

Blockchain gaming platform WEMIX was hacked on February 28, 2025, resulting in the theft of 8,654,860 WEMIX tokens valued at approximately $6.1 million. WEMIX CEO Kim Seok-Hwan confirmed the cyberattack during a press conference, explaining the delayed announcement was strategic to mitigate further risk. Upon discovering the hack, WEMIX shut down the compromised server and initiated an in-depth investigation with the help of local law enforcement agencies. The hackers accessed the platform using stolen authentication keys from a shared repository and carried out their attack over two months. The majority of the stolen WEMIX tokens were rapidly sold off, complicating recovery efforts and impacting market stability. WEMIX services are currently offline as the company works on migrating its systems to a more secure infrastructure with plans to restore full service by March 21, 2025. WEMIX has been classified as an "investment caution" asset, and the Digital Asset Exchange Alliance (DAXA) has suspended deposits, which WEMIX intends to appeal.

A severe security flaw in AMI's MegaRAC BMC could enable unauthorized remote server control and system bricking. Tracked as CVE-2024-54085, this vulnerability received the highest severity score (CVSS v4 score of 10.0). Attackers can exploit this through the remote management interfaces or internal host connections to perform malicious actions like deploying ransomware or causing physical server damage. The flaw could be used for disruptive tactics, repeatedly rebooting affected devices to create indefinite downtime. AMI has issued patches as of March 11, 2025, to mitigate this issue in the affected BMC software stack. No current evidence indicates the vulnerability has been exploited in the wild, but updates from OEM vendors remain essential. Potential user impact is significant due to AMI's role in the BIOS supply chain, affecting products from over a dozen manufacturers.

A large-scale ad fraud campaign identified as “Vapor” has exploited over 331 Android apps on the Google Play Store, affecting 60+ million downloads. The fraudulent apps served intrusive full-screen ads and phishing attacks, aiming to collect user credentials and credit card information. These apps masqueraded as legitimate utility, fitness, and lifestyle applications, deceiving users into installing them. Fraudsters used sophisticated tactics such as multiple developer accounts and versioning to evade detection and bypass Google’s security measures. Google has since removed these apps, but not before they generated over 200 million daily bid requests from unsuspecting users. The threat actors employed techniques such as hiding app icons and mimicking legitimate services to stay undetected on newer Android versions. The campaign, active since around April 2024 and expanding in the following year, illustrates a growing trend in sophisticated cybercriminal strategies targeting app markets.