Daily Brief

A sophisticated phishing campaign targeting Coinbase users disguises itself as a mandatory wallet migration, prompting recipients to create a new wallet with an attacker-controlled recovery phrase. The phishing emails, mimicking official Coinbase communications, falsely claim that due to a court order from a lawsuit, users must transition to self-custodial wallets and operate Coinbase only as a registered broker. Attackers cleverly do not use phishing links in the emails; instead, all links direct to the legitimate Coinbase Wallet page, avoiding traditional phishing detection methods. Recipients are tricked into using a recovery phrase provided in the email to set up their new Coinbase Wallet, giving attackers complete access to transfer any deposited assets. The phishing operation passes the SPF, DMARC, and DKIM email security checks through SendGrid and an Akamai email domain, making it harder to flag as suspicious. Coinbase has responded to the situation by informing users via a post on X that they will never send out recovery phrases and to be skeptical of such emails. Akamai has acknowledged the misuse of their domain in this phishing scam and is currently investigating, emphasizing the need for heightened vigilance against phishing attempts.

Black Basta ransomware group has developed an automated brute-forcing framework named BRUTED, targeting VPNs and other edge devices. BRUTED enables the gang to execute streamlined, large-scale attacks, enhancing their ability to breach networks via internet-exposed endpoints. EclecticIQ researcher uncovered BRUTED details through analysis of the gang's internal communications and shared the framework's source code. The tool targets multiple products including SonicWall, Palo Alto GlobalProtect, Cisco AnyConnect, among others, automating credential stuffing and brute force attacks. BRUTED utilizes an infrastructure based in Russia, masking operations via SOCKS5 proxies to evade detection, while the command-and-control servers coordinate the attacks. Defense recommendations against such attacks include enforcing strong, unique passwords, using multi-factor authentication, and maintaining up-to-date device patches. A list of IPs and domains associated with BRUTED has been circulated to help institutions block potential malicious traffic and strengthen their cyber defenses.

Cisco has fixed a high-severity denial of service vulnerability in its IOS XR software that could crash routers by exploiting the Border Gateway Protocol (BGP). The flaw, designated CVE-2025-20115, targets BGP confederations; it can be triggered by a crafted BGP update causing a buffer overflow, leading to memory corruption and a BGP process restart. Devices affected include Cisco’s carrier-grade routers such as the ASR 9000, NCS 5500, and 8000 series. The vulnerability can be exploited by unauthenticated attackers in simple attacks, though it requires specific conditions like a BGP confederation speaker sending a message with the AS_CONFED_SEQUENCE attribute at 255 AS numbers. Cisco advises customers unable to immediately deploy the security patches to restrict the BGP AS_CONFED_SEQUENCE attribute to 254 or fewer AS numbers as a temporary workaround. The company confirmed that this vulnerability has not been observed in active exploits in the wild. This disclosure follows a recent series of security alerts from Cisco, including other vulnerabilities in Webex and certain VPN routers which are actively being exploited.

Rostislav Panev, a dual Russian and Israeli national, has been extradited to the United States on charges related to his role as a developer for the LockBit ransomware group. Panev was arrested in Israel in August 2024 and is accused of working with LockBit from 2019 until its online operations were disrupted in February 2024. The LockBit ransomware group has targeted over 2,500 entities in 120 countries, including major corporations, healthcare facilities, schools, and government agencies, causing significant financial damage. Panev purportedly earned $230,000 by developing and maintaining software that disabled antivirus programs, deployed malware, and executed ransom demands across victim networks. The United States Attorney emphasized the commitment of the U.S. to pursue and prosecute members of the LockBit conspiracy as part of broader efforts to combat global cybercrime. Besides Panev, six other LockBit affiliates have been charged in the U.S., with some also facing sanctions from the Treasury's Office of Foreign Assets Control (OFAC).

The GSM Association (GSMA) has introduced end-to-end encryption (E2EE) for Rich Communications Services (RCS), enhancing security for cross-platform messaging between Android and iOS. This security update is part of the newly released RCS Universal Profile 3.0, utilizing the Messaging Layer Security (MLS) protocol. The GSMA specifications aim to make RCS the first large-scale messaging service with interoperable E2EE across various client implementations from different providers. Google's Android Messages app already uses the Signal protocol for E2EE, but this is limited to conversations within the app and not with iOS users or other Android RCS clients. The development of E2EE in RCS was influenced by Apple's decision to support RCS in its iOS 18 Messages app, promoting better interoperability and security. Google plans to integrate MLS in its Messages service and contribute to the open-source implementation of the specification. RCS features continue to support group messaging, sharing of high-resolution media, and real-time indicators like read receipts and typing status across both Android and iOS platforms.

Rostislav Panev, a dual Russian-Israeli national, has been extradited to the U.S. to face charges related to his work with the LockBit ransomware group. Arrested in Israel, Panev's laptop revealed involvement with LockBit, including access credentials and source code for ransomware encryptors and data theft tools. Panev allegedly earned $230,000 in cryptocurrency over 18 months and played a pivotal role in LockBit's operations since 2019. The ransomware attacks coordinated by LockBit, under Panev's development, victimized over 2,500 entities worldwide, including significant numbers within the U.S., and extorted over $500 million. The U.S. Department of Justice charges encompass Panev's integral role in developing the technology that facilitated numerous high-profile cyber attacks. His arrest and extradition are part of a broader crackdown on LockBit, which includes multiple indictments against the ransomware group’s core members and operators.

Apple is reportedly appealing a UK government order to decrypt iCloud user data, mandated through a technical capability notice under the Investigatory Powers Act. The appeal involves a private hearing at the High Court's Investigatory Powers Tribunal, raising concerns over transparency and public scrutiny. US politicians and privacy campaigners have criticized the secrecy of the proceedings, emphasizing the need for a public debate on the technical and security implications. Apple argues that encryption cannot be selectively broken as demanded, highlighting a fundamental technology limitation contrary to the UK's expectations. The company had earlier disabled iCloud's Advanced Data Protection in response to the government's order, a move widely reported and speculated to be linked to the technical capability notice. Privacy advocates argue that the secrecy of the tribunal's proceedings undermines public interest and the principle of open justice, especially given the widespread impact on personal privacy. The case is significant due to its potential impact on global cybersecurity practices and the tensions it reveals between national security demands and privacy rights.

Joseph Carson of Delinea, with 25 years in enterprise security, hosts a free live webinar on ransomware attacks. The session includes a live demonstration detailing every stage of a ransomware attack, from intrusion to ransom request. Attendees will learn how vulnerabilities are exploited by hackers to access and encrypt data. The webinar aims to educate on safeguarding against ransomware through a proactive security approach. Attendees are encouraged to sign up for free to gain insights into protecting their organizations from cyber threats.

A newly identified ransomware group, referred to as Mora_001, has exploited vulnerabilities in Fortinet firewalls to launch ransomware attacks. The group utilized two specific Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472), both of which are authentication bypass issues, to infiltrate networks. Researchers from Forescout have linked the SuperBlack ransomware used by Mora_001 to LockBit, suggesting potential ties or shared methodologies between the groups. After gaining access, Mora_001 attackers elevated their privileges, created duplicate admin accounts, and added themselves to VPN groups to maintain persistence unnoticed. The attackers focused on high-value targets within the network, such as file servers and domain controllers, for data theft and encryption, using typical double extortion tactics. Signs of the group's linkage to LockBit include similar post-exploitation patterns and the use of a known LockBit Tox ID for ransom negotiations. Despite patches being available for the exploited vulnerabilities, a significant number of Fortinet firewalls remain unpatched, particularly in India and the US. Forescout advises organizations to patch vulnerabilities promptly, audit admin and VPN accounts, and disable external management access to firewalls to mitigate such risks.

Andelyn Biosciences, focused on gene therapy, sought to optimize security with minimal disruption. Initial strategy using traditional network access control solutions was ineffective due to complexity and lack of scalability. Transitioned to Elisity’s identity-based microsegmentation which offered quick deployment without hardware alterations or network redesign. Achieved comprehensive visibility and policy modeling within days, ensuring assets were categorized accurately. Implemented 2,700 security policies to elevate Zero Trust security without impacting normal operations. The approach leverages dynamic policy enforcement based on real-time metadata and user behavior, rather than static network setups. Andelyn now looks to expand this effective microsegmentation strategy across its other operations and sites.

A new malware campaign using MassJacker clipper malware is targeting users downloading pirated software, primarily to hijack cryptocurrency transactions. The malware substitutes copied cryptocurrency wallet addresses in the clipboard with addresses controlled by attackers, redirecting funds to them instead of the intended recipient. The attack begins from a website known to distribute pirated software, which also serves as a delivery platform for various malware, including a botnet. Additional security features in the malware include Just-In-Time (JIT) hooking and other techniques to evade detection and complicate analysis. MassJacker operates by monitoring the system's clipboard for cryptocurrency wallet addresses, replacing any detected address with one belonging to attackers using sophisticated regex patterns. Over 778,531 unique addresses have been connected to the attackers with the transferred assets totaling about $336,700, though only a small fraction currently holds funds. CyberArk researchers have also found potential technical links between MassJacker and another malware, MassLogger, suggesting possible common origins or shared methodologies.

A novel malware, OBSCURE#BAT, is deploying an open-source rootkit r77 using social engineering tactics including fake CAPTCHA pages. Security researchers have identified that the malware initially invites users via two primary methods: fake CAPTCHA verification resembling Cloudflare's interface and misrepresented software downloads for tools like the Tor Browser and VoIP services. The malware employs a multistage infection process beginning with an obfuscated Windows batch script invoking PowerShell to execute further malicious activities. Key techniques for persistence and evasion include modifying Windows Registry keys, setting up scheduled tasks, and embedding a .NET payload that employs advanced obfuscation and AMSI patching. Once installed, OBSCURE#BAT deploys system and user-mode rootkits that hide specific files, processes, and registry entries, ensuring it remains hidden and hard to remove. The malware also monitors clipboard and command history, likely preparing this data for exfiltration. This campaign primarily targets English-speaking individuals in the US, Canada, Germany, and the UK.

House Democrats have raised concerns about Elon Musk's DOGE team potentially misusing sensitive government data through AI systems. Gerald Connolly sent letters to 24 federal agencies seeking reassurance that AI tools being used have adequate security reviews and FedRAMP approval. Reports suggest that DOGE has implemented AI to suggest cuts in federal agencies without thorough vetting of the technology. The use of commercial AI systems like Inventry.ai to process government data without proper authorization could violate multiple federal laws. Connolly highlighted the risk of exposing personally identifiable information of American citizens through these unapproved AI systems. There is also concern Musk might be using government data to train his own AI models, though evidence is lacking. Federal agencies must respond to Connolly's inquiries by March 26, detailing the legal basis for data access and the specific AI tools used.

Microsoft reinstated the VSCode extensions "Material Theme – Free" and "Material Theme Icons – Free" after initially removing them due to perceived security risks. The removal was based on a security analysis which mistakenly identified obfuscated code in the extensions as malicious. The extensions, with over 9 million installs, had been flagged by AI-powered scanners which misinterpreted the presence of code execution capabilities as a potential threat. The publisher, Mattia Astorino, contended the issue stemmed from an outdated dependency, not from any malicious intent. Microsoft apologized for the error, reinstating Astorino’s publisher status and the extensions on the Visual Studio Marketplace. Microsoft plans to update its policy on handling obfuscated code and enhance its scanners to prevent similar incidents in the future. Despite initially supporting the security concerns, cybersecurity researcher Amit Assaraf acknowledged the lack of malicious intent from the publisher. New versions of the Material Theme extensions are reported by Astorino to be safe and have been completely rewritten.

'Mora_001,' a new ransomware group, is exploiting vulnerabilities in Fortinet firewall appliances, specifically CVE-2024-55591 and CVE-2025-24472, to deploy SuperBlack ransomware. Fortinet disclosed these vulnerabilities in early 2024, with indications that CVE-2024-55591 was exploited as a zero-day, while CVE-2025-24472 was not initially believed to be exploited but was later confirmed. SuperBlack attacks involve gaining 'super_admin' access using the vulnerabilities, creating malicious admin accounts, and mapping networks for lateral movements and data theft. The ransomware aims for double extortion by stealing data and encrypting high-value servers, paired with dropping ransom notes and a custom wiper tool called 'WipeBlack' to hinder forensic efforts. Forensic analysis by Forescout revealed a strong link between SuperBlack and the notorious LockBit ransomware, suggesting operational similarities and possible shared affiliations. Comprehensive indicators of compromise (IoC) associated with SuperBlack, as described in Forescout’s report, highlight the importance of enhanced monitoring and defense strategies to guard against such sophisticated threats.