Daily Brief

Senior Trump administration figures used Signal, a secure messaging app, to discuss classified military plans, including airstrikes against Houthi rebels in Yemen. A journalist from The Atlantic, inadvertently added to the group chat, observed the sharing of sensitive information, including timing and types of weapons to be used. Discussions within the group also covered public relations strategies and the financial involvement of European nations. The use of Signal, coupled with auto-delete settings for messages, raises concerns about violations of federal records-keeping laws. Criticism has surfaced regarding the lack of secure, government-approved communication methods and the potential risks posed to operational security and personnel safety. Following the incident, calls for an investigation were voiced by Senator Adam Schiff to assess the extent of sensitive information being shared via unsecured platforms within the Pentagon. The situation highlights a disconnect between the administration's public stance on security, as demonstrated in the 2016 presidential campaign, and its practices.

The FCC is scrutinizing Chinese telecom manufacturers like Huawei to ensure compliance with U.S. national security regulations. Formal inquiries and a subpoena have been issued to identify any unauthorized operations by entities on the FCC's Covered List, which includes companies flagged as national security threats. The investigation targets companies deemed aligned with the Chinese Communist Party and includes major firms such as ZTE and China Telecom. FCC Chairman Brendan Carr acknowledges ongoing unauthorized business activities by these companies, including potential unregulated business on U.S. soil. The focus is also on domestic companies that might be aiding the operations of these Chinese entities. Any breaches found will lead to appropriate actions by the FCC to safeguard America's telecommunications network integrity. During President Trump's tenure, similar actions significantly impacted Huawei’s operations and profits, although it recently reported a rebound in earnings.

Former US Air Force cyber officer Sarah Cleveland highlights increasing risks of nation-state attacks on supply chains, specifically citing concerns about China. Cleveland personally responded to these threats by installing solar panels at her home to mitigate potential disruptions to the power grid. She references recent activities by Chinese espionage groups like Silk Typhoon and Salt Typhoon, which have targeted the U.S. Treasury and telecom sectors. Attacks are no longer just about data theft but now include direct disruption to critical infrastructure through compromised third-party vendors and contractors. Cleveland urges corporations not to wait for government mandates but to proactively secure their networks and understand the flow of their data. Emphasized the need for robust cybersecurity measures like zero-trust policies, multi-factor authentication, and immediate de-provisioning of accounts when employees leave a company. She acknowledges potential conflicts of interest, as her current employer, ExtraHop, offers solutions that could benefit from higher demand for network visibility and response capabilities.

23andMe, a direct-to-consumer genetic testing company, has declared Chapter 11 bankruptcy and plans to auction its assets. The company has sold over 12 million DNA testing kits since its inception in November 2007. Despite the bankruptcy, 23andMe assures continued security and privacy protections for customer data during the asset sale. Privacy concerns have escalated as the company's substantial DNA data could potentially be acquired by unfavorable parties. The California Attorney General has issued an alert advising customers to delete their data and revoke consent for its use in research. The UK Information Commissioner's Office underscores the importance of adhering to GDPR, maintaining rigorous data protection despite the company's financial woes. A previous data breach in 2023 compromised the genetic data of 6.4 million customers, leading to a $30 million lawsuit settlement. The company's restructuring included controversial changes to its Terms of Use, hindering customers' legal recourse against it.

VanHelsing ransomware-as-a-service targets systems including Windows, Linux, BSD, ARM, and ESXi. Advertised since March 7 on underground platforms, VanHelsing charges less experienced threat actors a $5,000 deposit. Operation prohibits attacks on CIS countries, offers affiliates 80% of ransom payments, with 20% going to operators. Ransomware uses advanced security measures including a ChaCha20 algorithm for encryption, with an automated escrow payment system. Currently, VanHelsing has claimed three victims: a city in Texas and two technology companies in the U.S. and France, demanding $500,000 ransom. The malware supports complex CLI customization, enabling tailored attacks, and features both normal and stealth encryption modes. Despite its sophistication, Check Point identified several code flaws that suggest some immaturity in its development. VanHelsing is viewed as a significant and evolving threat in the cybercrime landscape.

Discovery of five critical vulnerabilities in the Ingress NGINX Controller for Kubernetes, capable of unauthenticated remote code execution. Over 6,500 Kubernetes clusters exposed to public internet, with these vulnerabilities codenamed IngressNightmare by Wiz. The vulnerabilities allow attackers to gain unauthorized access to all Kubernetes cluster secrets, potentially leading to total cluster control. Specifically affects the admission controller component allowing attackers to inject arbitrary NGINX configurations and execute code. Approximately 43% of cloud environments using this technology are vulnerable. A possible attack method includes uploading a malicious payload via the client-body buffer feature and using an AdmissionReview request to trigger remote code execution. Fixed versions (1.12.1, 1.11.5, 1.10.7) have been released, with recommendations for users to update immediately and secure the admission webhook endpoint.

Ukrzaliznytsia, Ukraine's national railway operator, was struck by a significant cyberattack, disrupting online ticket services. The attack caused the website and mobile apps to malfunction, forcing passengers to purchase tickets at physical locations, resulting in overcrowded stations and extended waiting times. The railway's operational activities, including train schedules and traffic, remained unaffected thanks to the implementation of backup protocols previously established in response to past attacks. Military personnel were allowed to buy tickets directly on trains to prevent any disruption in their movements, while civilians were advised to use previously emailed PDF copies of their tickets. Despite the online platform issues, train operations continued without delays, demonstrating resilience against the strategic cyberattack. Ukrzaliznytsia is collaborating with the SBU Cyber Department and CERT-UA to address security vulnerabilities and restore full functionality, though no specific recovery timeline has been provided. The cyberattack was described as "highly systematic and multi-layered," highlighting the complexity and possibly the involvement of a nation-state actor.

ISPs globally reported DrayTek routers experiencing boot loops and connectivity issues starting Saturday night. The disruption affected multiple models of DrayTek routers and ISPs identified both cyber attacks and a problematic firmware update as potential causes. The affected devices presented issues like intermittent connectivity and automatic reboot cycles, heavily impacting Internet services. ISPs such as Gamma, Zen Internet, ICUK, and A&A in the United Kingdom and others internationally urged users to install the latest firmware or replace their routers. DrayTek advised customers to disable SSLVPN/Remote Access features and switch off VPN functionalities until the devices are securely updated. In addition to firmware updates, DrayTek provided ISPs with specific measures to restore connectivity but has not yet defined the definitive cause of the connection losses. Previously, in October, DrayTek resolved critical security flaws affecting over 700,000 devices, illustrating ongoing security challenges with their router models.

The advanced persistent threat group, Weaver Ant, linked to China, infiltrated an Asian telecommunications provider's network for over four years. They used compromised Zyxel CPE routers and variants of the China Chopper backdoor along with a custom web-shell named ‘INMemory’ for covert operations. The group leveraged web shell tunneling to create a hidden command-and-control network, allowing them to control and execute payloads within segmented parts of the network. Techniques included encryption, passive network traffic capture, and exploitation of high-privileged accounts with static passwords to avoid detection and maintain persistent access. Weaver Ant’s tactics also involved disabling logging mechanisms and employing anti-malware scanning bypass techniques to remain undetected. The primary objectives appeared to focus on network intelligence and credential harvesting, characteristic of state-sponsored espionage rather than direct financial theft. Cybersecurity firm Sygnia suggests improving internal network traffic monitoring, detailed logging, applying the principle of least privilege, and frequent credential rotation to defend against such threats.

Microsoft announced new features for Edge for Business, aimed at preventing data leaks into consumer GenAI apps like OpenAI ChatGPT. Inline data protection in Edge will block sensitive corporate data from being entered into external web applications. The features are integrated into Microsoft Purview’s data loss prevention controls which are now generally available. Increased security in Microsoft Teams to improve defense against phishing and ransomware attacks via enhanced team collaboration security settings. Real-time detonation technology to analyze and neutralize malicious content before it reaches the end user. Expansion of Security Copilot with 11 new agentic solutions, focusing on data breach analysis, threat prioritization, and compliance improvements. New capabilities allow automation of routine security processes, aiding human security teams in managing more complex threats effectively. Enhanced user and domain management controls to protect against malicious interactions and improve organizational security posture.

A severe vulnerability in Next.js, identified as CVE-2025-29927, allows attackers to bypass authorization checks by manipulating request headers. The flaw exploits the 'x-middleware-subrequest' header, enabling requests to bypass middleware security functions and reach destination paths directly. Next.js is extensively used with over 9 million weekly downloads, and is employed by major platforms like TikTok, Twitch, and Netflix. The vulnerability impacts versions of Next.js prior to 15.2.3, 14.2.25, 13.5.9, and 12.3.5, with a strong recommendation for users to update to newer versions. CVE-2025-29927 only affects self-hosted Next.js applications that use 'next start' with 'output: standalone'; applications hosted on platforms like Vercel are not affected. In cases where immediate patching is not feasible, blocking external requests that include the 'x-middleware-subrequest' header is advised as a temporary measure.

'Operation Red Card' led by INTERPOL resulted in the arrest of 306 individuals across Africa, targeting cross-border cybercriminal networks. The operation was conducted between November 2024 and February 2025, during which 1,842 devices linked to various online scams were seized. Authorities collaborated internationally, exchanging criminal intelligence and utilizing data from private sector partners like Group-IB, Kaspersky, and Trend Micro to enrich their insights. Significant arrests included 130 in Nigeria for investment fraud and online casino scams and 40 in South Africa linked to SIM box fraud operations. Zambian police detained 14 individuals involved in a cybercrime gang that hacked phones to spread malware and control victims' banking apps. In Rwanda, 45 suspects were arrested in connection with social engineering scams, accumulating over USD 305,000 from victims in 2024. The operation underscores the effectiveness of international cooperation in tackling cybercrime, which can have severe impacts on global communities and economies. The success of 'Operation Red Card' follows other significant INTERPOL-coordinated efforts in Africa such as 'Operation Serengeti' and 'Operation Africa Cyber Surge II.'

Microsoft's Security Copilot now includes 11 task-specific AI agents designed to enhance interactions with security products like Defender, Purview, Entra, and Intune. The AI agents use generative AI to automate routine tasks and summarize high-volume data, such as phishing warnings and threat alerts, helping prioritize critical security issues. Initial use of Security Copilot has led to significant improvements in response times to security incidents, with up to a 30 percent reduction in mean time to respond. The AI agents are continually learning and evolving, requiring minimal human input to refine their operations, based on individual feedback. Despite the AI’s capabilities, human oversight remains necessary, particularly in distinguishing false positives in phishing triage and applying context-specific decisions. Corporate partners and Microsoft continue developing safeguards against potential AI errors, including measures to prevent cross-prompt injections and hallucinations. Use cases shared at the event underscored the practical applications and benefits of AI in handling complex security and privacy compliance tasks across various regulations.

VanHelsing, a new ransomware-as-a-service (RaaS) operation, began its malicious activities on March 7, 2025, and has already claimed three victims. It utilizes a dual attack approach involving data theft before encryption, subsequently threatening to release stolen data unless a ransom is paid. The service appeals to a broad range of cybercriminals by providing a user-friendly control panel accessible on multiple devices and operating systems, including Windows, Linux, and more. Entry into the VanHelsing RaaS program requires a $5,000 deposit for new affiliates, while established partners may join for free, with affiliates typically retaining 80% of any ransom collected. The ransomware specifically avoids targeting the Commonwealth of Independent States (CIS), following a common practice in the cybercrime ecosystem to not attack entities within these nations. VanHelsing encrypts files, customizes them with a ".vanhelsing" extension, alters desktop wallpapers, and displays a ransom demand, pushing victims to pay in Bitcoin. CYFIRMA reports that the manufacturing, government, and pharmaceutical sectors in the U.S. and France are among those impacted by these ransomware attacks. This trend aligns with a global increase in ransomware incidents, with February 2025 cited as a record month of 962 attacks, signaling a spike in remote encryption tactics by cybercriminals.

23andMe initiated Chapter 11 bankruptcy proceedings in the Eastern District of Missouri, citing financial challenges and legal liabilities from a significant 2023 cyberattack. The company plans to sell its assets under court supervision, aiming to maximize value and address its operational and financial obstacles. Court-approved debtor-in-possession financing secures $35 million to fund operations and maintain payments to staff and vendors during the asset sale process. CEO Anne Wojcicki stepped down but will remain on the board; faced with ongoing financial instability and failed attempts to take the company private. 23andMe has struggled financially since its inception in 2006, never achieving profitability, with its recent cyberattack exacerbating its financial insecurity. The bankruptcy filing will handle the resolution of a $30 million settlement from a class-action lawsuit due to the data breach, underscoring the cyberattack's severe impact. California's attorney general has advised state residents to manage their personal data with 23andMe proactively, reflecting heightened data privacy concerns. Despite the bankruptcy and leadership change, 23andMe will continue to operate normally until the asset sale is concluded.