Daily Brief

Verizon's Call Filter API vulnerability allowed unauthorized access to other users' incoming call histories. Discovered by security researcher Evan Connelly on February 22, 2025, with a fix implemented by Verizon in the following month. The Call Filter app comes pre-installed on Verizon Android and iOS devices and is used by millions. The flaw involved an unsecured endpoint that did not verify the phone number in the JWT payload against the requested call logs. This could have implications for privacy, enabling potential surveillance of a user’s routines, contacts, and relationships using their call metadata. The breach potentially exposed sensitive information of high-value targets like politicians, journalists, and law enforcement officials. It is unclear how long the vulnerability existed or if it was exploited, as no rate limiting or API gateway protection was noted. The API was hosted on a server by Cequint, raising concerns about the security practices around handling telecommunication data.

Hunters International, a notorious ransomware group, has announced a strategy shift from ransomware to purely extortion-based tactics due to increasing risks and lower profitability. The gang is rebranding to "World Leaks" and has already launched a dark web page focusing on data theft and extortion, avoiding the use of ransomware. Despite the strategic pivot, conflicting messages suggest that Hunters International might still be active under its original operation or there might be confusion due to a split within the group. Leading figures in the group cited heightened law enforcement actions and new designations of ransomware operations as terrorism as key reasons for moving away from ransomware. Researchers from Group-IB reported that despite initial technical issues, World Leaks is operational but has yet to claim any victims. The new strategy includes offering affiliates custom data exfiltration tools and a share in the profits, emphasizing a less detectable approach to cybercrime. This shift follows a broader trend in the cybercriminal community, where many are moving away from ransomware due to increased legal and operational pressures.

GitHub updated its Advanced Security platform following the discovery of over 39 million secrets leaked from repositories in 2024. Leaked items included API keys, passwords, and tokens, posing significant security risks to users and organizations. GitHub attributes the frequent secret leaks to the prioritization of convenience by developers and accidental exposure in git history. GitHub’s Advanced Security updates include new measures and enhancements that can now be purchased as standalone products for scalable security. Push Protection is emphasized to block secret leaks at the repository level before they occur and is set by default on all public repositories. Users are encouraged to eliminate hardcoded secrets in source code, utilizing environment variables, secret managers, or vaults instead. GitHub also stresses the integration of tools with CI/CD pipelines and cloud platforms to manage secrets programmatically and minimize human error. Guidance is available through GitHub’s 'Best Practices' guide for managing secrets from start to end effectively.

Microsoft has launched hotpatch updates for Windows 11 Enterprise 24H2 on x64 systems which allow installing OS security updates without rebooting. Hotpatch updates can be deployed in the background by patching the in-memory code of running processes. Users can create a hotpatch-enabled quality update policy through Windows Autopatch via the Microsoft Intune console. Hotpatch updates will be offered quarterly and are designed to reduce downtime by eliminating the need for device restarts eight months out of twelve. To use hotpatch updates, businesses require a Microsoft subscription, a compatible Windows 11 Enterprise 24H2 PC, and Virtualization-based Security (VBS) enabled. Hotpatch updates for Arm64 devices are still in public preview, but administrators can modify settings to make these devices eligible. Standard monthly security updates will continue for devices running Windows 10 and Windows 11 versions up to 23H2. The hotpatching capability was first tested on Windows Server Azure Edition before being introduced to Windows client systems.

Royal Mail is looking into claims of a security incident involving Spectos GmbH, their third-party data service provider, after a data leak of 144GB allegedly from their systems. The leaked data includes personal information of Royal Mail customers, internal documents, and recorded meetings, among other sensitive information. Spectos confirmed a cyber attack initiated on March 29, 2025, leading to unauthorized customer data access, the extent of which is under forensic investigation. Hudson Rock reported that attackers accessed Royal Mail systems using credentials from a Spectos employee compromised in a 2021 malware attack. The breach has not impacted Royal Mail's operational capabilities, and services are continuing as usual despite the incident. Royal Mail has previously experienced cyber challenges, including a severe disruption in 2023 due to a ransomware attack by LockBit, affecting international shipping. Current breach investigations seek to ascertain the full scope and potential consequences of the leaked customer data.

Oracle faced criticism for its handling of communications during two reported data security incidents. Initially, Oracle denied allegations of a breach on March 20, claiming no Oracle Cloud customers were affected. Subsequent investigations and expert opinions suggested otherwise, pointing to potential deceptions and semantic nuances in Oracle's statements. Reports emerged of Oracle allegedly using archive exclusion processes to remove evidence of the breaches from the internet. Despite denials, leaked communications from Oracle Health indicated a breach involving stolen legacy data. The company's communication strategy has been described as a failure in transparency, potentially damaging its reputation. Experts emphasize the importance of clear and honest communications in managing the fallout from cybersecurity incidents. Oracle's response to these incidents contrasts starkly with best practice guidelines for transparent incident disclosures.

Infinidat focuses on enabling rapid recovery from cyberattacks through their enterprise storage solutions. Immense reliance on large data volumes for modern workloads necessitates robust data restoration systems. InfiniSafe features, including immutable snapshot recovery and air-gapped environments, ensure quick and secure data recovery. The use of AI and deep machine learning expedites the recovery process, fulfilling stringent SLA requirements. Integration with third-party SOC, SIEM, and SOAR platforms via APIs enhances automated cyber protection. InfiniSafe’s AI capabilities help detect malware or ransomware in data snapshots. The InfiniBox storage array delivers guaranteed immutable snapshot recovery in under a minute. This advanced technology is aimed at minimizing downtime and promoting business resilience against cyber threats.

KidFlix, a major child sexual exploitation platform on the dark web, was shut down on March 11 by German law enforcement. This international action, named Operation Stream, was supported by Europol and involved various national agencies. Since its inception in 2022, Operation Stream has led to 79 arrests and identified 1,393 suspects, seizing over 3,000 electronic devices. Approximately 1.8 million users worldwide accessed KidFlix, which hosted around 72,000 videos of child abuse material. Information regarding suspects has been shared across 35 countries, enhancing global cooperation against child exploitation. The platform, unique in its streaming capability, used a token system where users earned and spent tokens to view videos. Law enforcement efforts highlighted the prevalence of repeat offenders in networks involved in the distribution of child sexual abuse material. Additional operations, including Operation Cumberland, have targeted related criminal rings distributing AI-generated child sexual abuse material.

A new version of Triada Trojan was found preinstalled on thousands of counterfeit Android devices targeting Russian users. Kaspersky discovered at least 2,600 infected devices between March 13 to 27, 2025, using its mobile protection tools. The malware steers clear of detection by operating in the device's RAM and embedding itself within Android's system framework. Triada has been embedded into the smartphone firmware before distribution, indicating a possible supply chain compromise. Infected devices are involved in the theft of at least $270,000 in cryptocurrencies; precise total theft remains unclear due to involvement of hard-to-trace Monero. The malware copies itself to every process on the smartphone, affecting the entire system operation and security. Kaspersky suggests that these devices likely reach consumers through unauthorized retail channels and recommends buying only from authorized distributors.

Despite advanced tools and teams, many organizations face security control failures detected only post-breach. Traditional security testing like compliance audits and penetration tests often miss operational assurance, leaving crucial gaps. Real-world examples illustrate how increased logging or unnoticed network changes can debilitate security systems like SIEM or IDS. Five common reasons for security failures include inadequate threat prevention, detection, response investments, and overwhelmed security systems. Continuous validation and testing, such as Managed Breach & Attack Simulation (BAS) services, are essential for identifying and rectifying these failures. These ongoing tests help in holding vendors accountable, renegotiating contracts, and ensuring vendors meet their service level agreements effectively. Introducing business metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) aligns security performance with business goals. Companies are advised to transition from trusting security investments blindly to continuously testing and validating their effectiveness to manage risk and reduce costs.

Researchers discovered a critical vulnerability in Google Cloud Platform’s Cloud Run service that allowed unauthorized access to container images. The flaw, named ImageRunner, let attackers with specific permissions exploit Google Cloud Run to access and potentially inject malicious code into private container images. Attackers could manipulate Cloud Run service revisions, pulling any private image from associated Google registries without proper permissions. Google addressed this security issue by ensuring that only principals with explicit permissions can access container images during Cloud Run operations. The vulnerability exposed inherent risks in cloud services interconnectivity, highlighting potential privilege escalation and hidden security threats. This flaw's discovery follows recent findings of similar security vulnerabilities in Azure, showcasing widespread challenges in cloud security management. Google’s patch now requires that any principal creating or updating a Cloud Run resource to have explicit container image access permissions, enhancing security measures. Tenable, the cybersecurity firm that reported the incident, emphasized the broader implications due to interconnected cloud service architectures.

Cisco alerted administrators about a critical vulnerability in the Cisco Smart Licensing Utility (CSLU) that introduces a backdoor admin account, making it susceptible to unauthorized remote access. The vulnerability, identified as CVE-2024-20439, allows unauthenticated attackers to gain administrative access via the CSLU app's API by exploiting hardcoded static credentials. Although the flaw was patched by Cisco in September, details of the vulnerability and an exploiting method were published, leading to observable exploit activities in the wild. In a related threat, attackers are combining CVE-2024-20439 with a second vulnerability (CVE-2024-20440) to access log files containing sensitive information through crafted HTTP requests. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the severity of this exploit and mandated federal agencies to address the vulnerability by April 21. Cisco's advisory emphasizes the necessity for clients to update their software to mitigate this backdoor vulnerability and protect against potential breaches. Historical context is given, noting similar issues with hardcoded credentials found in various Cisco products over recent years.

Rising ransomware attacks target healthcare systems because they are likely to pay quickly due to the critical nature of their services. Notable attacks included a Texas hospital that turned away ambulances and a major intrusion at Change Healthcare impacting claims and payment systems nationwide. Cybercriminals are shifting tactics from crippling systems to stealing and extorting data to avoid law enforcement detection. Industry experts recommend healthcare organizations enhance disaster recovery plans focusing on patient care continuity and cybersecurity. Healthcare orgs should integrate cybersecurity into their broader resilience planning, leveraging real-time intelligence and collaboration. The University of California San Diego Center for Healthcare Cybersecurity and Denmark's health industry serve as leading examples of proactive cyber resilience strategies. Executives are advised to prioritize robust recovery plants and conduct regular simulated exercises to mitigate impacts on critical healthcare systems.

NIST compliance is crucial for service providers to protect client data and enhance security measures. Compliance with NIST standards not only secures sensitive data but also boosts the provider's credibility and competitive edge. NIST frameworks offer structured methods for data protection, risk assessment, and incident response that are vital for various industries. Common challenges in achieving compliance include navigating complex cyber frameworks and the overwhelming demands of compliance processes. A step-by-step guide assists service providers in understanding and implementing NIST compliance effectively. Automation plays a significant role, streamlining the compliance process through tools that reduce manual work and enhance accuracy. Service providers adopting NIST frameworks can meet regulatory demands, improving their security posture and client trust.

Oracle faces a class action lawsuit in Texas for alleged breaches in its cloud services, including health information. The lawsuit claims Oracle failed to notify victims about the breach within the required 60-day period under Texas state laws. Plaintiff Michael Toikach and potentially others allege that Oracle's security lapses led to the exposure of personal and health data. The legal action accuses Oracle of not maintaining adequate network security, failing in staff training on data security, and not detecting or preventing the intrusion timely. Victims foresee spending significant time and money to mitigate the risks posed by the breach, which includes potential identity theft and fraud. Toikach seeks compensation for damages and demands Oracle to enhance its security measures. Oracle has yet to comment publicly on the allegations.