Daily Brief

Baltimore City Public Schools suffered a data breach in February, affecting its IT systems. A security breach compromised personal data of at least 31,000 individuals, including employees, students, and contractors. Sensitive information exposed includes social security numbers, driver's licenses, and passport details. The breach is linked to Cloak ransomware, a group active since late 2022, primarily targeting small to medium businesses. The school district has initiated complimentary credit monitoring services for impacted persons and recommended vigilance on personal account and credit report monitoring. This incident follows previous cybersecurity issues within the region, including multiple ransomware attacks on nearby government and educational systems.

SAP has released emergency updates for a critical zero-day flaw in NetWeaver Visual Composer, vulnerable to remote code execution. The flaw, identified as CVE-2025-31324 with a maximum severity score of 10.0, involves an unauthenticated file upload vulnerability. Attackers exploited this vulnerability to upload malicious JSP webshells, enabling remote code execution and full system control. Following the initial breach, attackers utilized advanced tools such as 'Brute Ratel' and 'Heaven's Gate,' enhancing stealth and system penetration. Security firms, including ReliaQuest and watchTowr, observed active exploitation leading to significant security concerns among SAP users. Despite systems being fully patched, the zero-day nature of the exploit allowed attackers to bypass existing security measures. SAP's emergency patch not only addresses this issue but also fixes additional critical vulnerabilities in their software suite. Companies unable to immediately apply the patch are advised to conduct deep scans and remove any suspicious files as a temporary measure.

SAP released emergency updates for a critical vulnerability in NetWeaver that allows remote code execution. The vulnerability, labeled CVE-2025-31324 with a CVSS score of 10.0, involved an unauthenticated file upload in the Visual Composer's Metadata Uploader. Attackers exploited this flaw to upload JSP webshells and achieve remote command execution without prior authentication. Post-exploitation activities included the use of Brute Ratel red team tool and Heaven's Gate technique for stealth and persistence. Security firms noted that exploitation was widespread and involved fully patched systems, indicating the use of a zero-day exploit. Recommendations include applying the latest security patches and performing deep scans to detect and remove any injected malicious files. Additional vulnerabilities, CVE-2025-27429 and CVE-2025-31330, were also addressed in the emergency security update.

SAP NetWeaver exploited by hackers using JSP web shells for unauthorized file uploads and code execution. Exploitation tied to possible zero-day vulnerability, despite systems having up-to-date patches. Cybersecurity firm ReliaQuest identifies flaw in "/developmentserver/metadatauploader" endpoint allowing persistent remote access. Attack sequences involve use of advanced post-exploitation tools like Brute Ratel C4 and Heaven's Gate technique. Attackers may operate as initial access brokers, selling system access to other groups on underground forums. SAP updates issued to address related high-severity security flaws, underscoring the critical nature of the threat. Systems often left vulnerable due to on-premises deployment and delay in applying security updates. Urgent risk to government agencies and enterprises using SAP solutions, compounded by high system value.

Non-Human Identities (NHIs), which include service accounts, IAM roles, and other cloud specifics, are a growing cybersecurity risk. NHIs typically authenticate using various secrets like API keys and certificates, which are highly sought after by attackers. Many companies lack awareness of the quantity and location of these secrets, leading to potential security vulnerabilities. Secrets used by NHIs often lack proper management such as expiration or audit trails, making unauthorized access and breaches more likely. The traditional identity governance tools prove inadequate for managing NHIs due to their inability to track the dynamic and decentralized nature of machine identities. GitGuardian has developed NHI Governance, aiming to provide comprehensive lifecycle management for machine identities and their secrets. Increased usage of AI and machine learning further compounds the risk, as these technologies can inadvertently expose sensitive data. Effective governance and management of NHIs is crucial for mitigating risks and ensuring organizational cybersecurity.

Britain's data privacy watchdog, the ICO, fined AFK Letters Co Ltd £90k for making over 95,000 unsolicited marketing calls to individuals registered with the Telephone Preference Service (TPS). AFK utilized data from its website and a third-party survey company for marketing without valid, specific consent, violating UK's electronic marketing laws. The third-party data provider used by AFK did not name the company in its consent statements, further complicating consent validity. AFK’s privacy policy failed to mention that it would make direct phone calls; it only stated contact would be via email. Complaints to the ICO included reports of AFK calling about potential refunds for services like solar panels without customer consent. AFK could not demonstrate consent for the calls it made, nor could it provide consent records when challenged, even for calls within the last three months. The ICO highlighted the importance of clear, informed, and specific consent for direct marketing, warning other companies about strict compliance with regulation. AFK Letters is facing potential business closure, evidenced by its website being replaced by a placeholder and an "Active Proposal to Strike Off" from Companies House.

The FBI has requested public tips to locate the Chinese Salt Typhoon hackers responsible for extensive breaches of global telecommunications systems, including major U.S. providers. Salt Typhoon, associated with state-sponsored cyber espionage, has infiltrated networks of U.S. telecoms, accessing law enforcement wiretaps and private government communications. Recent breaches implicated in these activities span multiple countries, targeting government and telecom entities using advanced malicious tools. The hacking operations have resulted in thefts of call data logs, private communications of certain U.S. officials, and sensitive information under U.S. court orders. The U.S. has imposed sanctions against entities linked to these cyberattacks, while also offering a reward of up to $10 million for information leading to the identification of the threat actors. Continuous efforts by the U.S. to strengthen cybersecurity measures include potential bans on specific technology products from companies linked to these attacks if found endangering national security.

Cybersecurity researchers unveiled critical vulnerabilities in the Rack Ruby web server interface, which could allow unauthorized file access and data breaches. A specific vulnerability, CVE-2025-27610, poses a severe threat by allowing unauthenticated attackers to access sensitive data, including credentials and configuration files. The vulnerability originates from improper sanitization of user-supplied paths in Rack::Static, used for serving static content like JavaScript and images. Attackers can exploit this flaw using path traversal techniques to retrieve files outside the intended web directory if the :root option is misconfigured. Recommended mitigation includes updating to the most recent software version or adjusting the :root parameter to a safe directory. A separate critical flaw, CVE-2025-43928 with a CVSS score of 9.8, was found in Infodraw Media Relay Service, impacting file reading and deletion capabilities via path traversal. Affected systems in Belgium and Luxembourg have been taken offline, and organizations are urged to either disconnect or enhance the protection of their systems due to the absence of a patch from the manufacturer.

A new malware, DslogdRAT, has been detected in attacks exploiting a previously unpatched vulnerability, CVE-2025-0282, in Ivanti Connect Secure (ICS) targeting Japanese organizations. The CVE-2025-0282 vulnerability allows for unauthenticated remote code execution and was patched by Ivanti in early January 2025 after being exploited as a zero-day. Cyber espionage group linked to China, dubbed UNC5337, used this zero-day to deploy the SPAWN ecosystem of malware along with other tools like DRYHOOK and PHASEJAM. Following the discovery, other variants of SPAWN malware were identified, including SPAWNCHIMERA and RESURGE, delivered through the same CVE by exploiting another flaw in ICS, CVE-2025-22457. DslogdRAT facilitates unauthorized access by establishing a connection with an external server to transmit system information and receive further malicious commands. GreyNoise has observed a significant increase in suspicious scanning activity targeting ICS and Ivanti Pulse Secure (IPS) appliances, indicating potential preparations for future exploits. The attribution of the DslogdRAT deployment to the mentioned attacks remains uncertain, highlighting the challenges in tracing cyber espionage activities.

Darcula, a cybercrime group, upgraded its phishing kit to include AI features, allowing rapid creation of phishing sites in various languages. Discovered by Netcraft security researchers, this phishing-as-a-service now supports cloning websites and injecting deceptive forms with ease. The AI enhancement facilitates the customization of phishing forms and translations, streamlining attacks tailored to different regions. Demonstrated capabilities include cloning a Google homepage, generating phishing fields in Chinese, and translating them to English without manual input. Uses advanced messaging protocols like iMessage and RCS, bypassing traditional SMS firewalls, thus heightening the risk of successful phishing campaigns. Darcula's phishing kits now boast over 200 templates mimicking well-known brands, expanding its scope globally. The FBI's IC3 report listed phishing as the most frequently reported cybercrime, underlining the growing threat posed by advanced phishing tools like Darcula's.

Yale New Haven Health has informed over 5.5 million individuals that their private information may have been stolen following a cybersecurity breach. The breach impacted the network of Connecticut’s largest healthcare provider, involving facilities in multiple states including New York and Rhode Island. Mandiant's incident response team was engaged to investigate the break-in, with the cybersecurity incident confirmed and relevant authorities notified. Stolen data could include sensitive details such as Social Security numbers, demographic information, and medical record numbers. No impact on patient care or access to electronic medical records was reported, despite initial disruptions to phone and internet connectivity. Yale New Haven Health has begun outreach to affected patients, offering them free credit monitoring and identity protection services. This incident marks one of the largest healthcare privacy breaches in the current year, raising concerns about the security of healthcare information systems.

Russian threat actors have been exploiting OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts linked to Ukraine and human rights groups. Hackers impersonate European officials and Ukrainian diplomats, using WhatsApp and Signal to contact targets and lure them into providing Microsoft authorization codes. The attack begins by sending victims an OAuth phishing URL, purporting it's required for joining a private video meeting. Once authenticated, victims are redirected to a modified in-browser version of Visual Studio Code, which captures login parameters from Microsoft 365. The authorization code extracted during the phishing attack is valid for 60 days and allows access to all resources available to the user. Variants of the phishing attacks saw attackers registering a new device under the victim’s Microsoft Entra ID, once the two-factor authentication approval was social-engineered. Volexity has tracked these threat actors, identified as UTA0352 and UTA0355, and suggests they are Russian with medium confidence. Protective measures against such attacks include setting up alerts for unusual logins, blocking certain domains, and implementing conditional access policies.

North Korean threat group Lazarus executed a espionage campaign against software, IT, finance, and telecommunications industries in South Korea. The campaign, identified as "Operation SyncHole," involved watering hole attacks leveraging a known vulnerability in the Cross EX file transfer client. Compromised South Korean media portals redirected victims to malicious domains, mimicking legitimate software vendors. The malware deployed, ThreatNeedle, initiated with high privileges and could execute 37 distinct commands on an infected host. Kaspersky researchers observed variations in infection vectors and tools like the Innorix Abuser, wAgent, and Copperhedge across different attack phases. Lazarus' activities were linked to the North Korean government, with attacks consistent in method and timing with the group's recognized patterns. Korea Internet & Security Agency (KrCERT) was informed, with subsequent patches and updates applied to mitigate the exploited vulnerabilities and additional identified zero-day flaws.

Microsoft's latest security patch inadvertently introduces a flaw that stops Windows updates. The patch aimed to mitigate CVE-2025-21204 by pre-creating a folder named c:\inetpub to prevent symlink attacks. Security researcher Kevin Beaumont exploited this by redirecting the folder to a system executable using the mklink /j command, causing updates to fail. This loophole allows even standard users, without administrative rights, to block important security updates. System administrators now face additional tasks to check for tampered directory junctions that could prevent updates. The situation raises concerns about Microsoft's testing processes and the ease with which a basic denial-of-service (DoS) was introduced into production environments. Microsoft has been informed of the issue but has not yet issued a response or a fix.

In January, Frederick Health in Maryland was hit by a ransomware attack affecting its IT systems, detected on January 27, 2025. The unauthorized access led to the copying of files from a file share server, impacting sensitive patient information. Compromised data includes names, addresses, birth dates, Social Security and driver's license numbers, plus health-related information. Frederick Health has mailed notification letters to individuals whose data was involved and had sufficient contact information. As of late March, the incident was officially reported to the U.S. Department of Health and Human Services, confirming the breach affected 934,326 patients. The specific ransomware group has not claimed responsibility for the attack, indicating a possible ransom payment by Frederick Health. This cyber incident is part of a larger trend, as seen with similar breaches recently reported by Blue Shield of California and Yale New Haven Health.