Daily Brief

Kaspersky identified collaboration between two threat groups, Head Mare and Twelve, targeting Russian entities using shared C2 servers and tools. Head Mare utilized a patched WinRAR vulnerability (CVE-2023-38831) for initial access, deploying malware and ransomware such as LockBit and Babuk. Twelve's operations focused on data encryption and destruction of infrastructure via publicly available tools and custom wipers. New analysis revealed Head Mare's adoption of CobInt, a backdoor linked to other attacks on Russian organizations, and a new implant named PhantomJitter for remote command execution. Additional access techniques by Head Mare included exploiting Microsoft Exchange vulnerabilities and phishing emails, often infiltrating through contractors' networks. The joint campaigns led to the use of ransomware deployment, urging victims to contact for decryption via Telegram after extensive concealment of their activities. The activity from Head Mare and Twelve indicates a broader pattern of sophisticated cyber attacks involving multiple threat actors within Russia. Related cyber activities by other groups, such as ScarCruft and Bloody Wolf, show a trend of increased and diversified threats targeting the region.

Paul Roberts, former CEO of Kubient, was sentenced to over a year in prison for committing financial fraud by falsifying company records. Kubient claimed to deliver fraud detection services using its KAI software, which in reality involved no actual work or valid data, leading to fabricated service reports. The company falsely reported $1.3 million in revenue from a non-existent service exchange with an unnamed company to inflate its financials. These misrepresented figures were used to deceitfully boost the company's revenue reports ahead of its public listing, which subsequently raised over $33 million through IPOs. The U.S. Securities and Exchange Commission charged Roberts and other executives after discovering the fraud, leading to Roberts' guilty plea and legal consequences. Despite earlier claims of effectiveness, Kubient's KAI software's capabilities were questionable as the company delisted from NASDAQ and canceled a significant merger. Following the scandal, Kubient appears to have ceased operations.

Citizen Lab report asserts Israeli Paragon Solutions' spyware was misused against journalists and activists instead of its advertised purpose of targeting criminals and terrorists. Details of the misuse were unearthed when WhatsApp, aided by Citizen Lab, notified approximately 90 individuals identified as targets, revealing the involvement of multiple government customers. Spyware, known as Graphite, developed by Paragon aims for constrained surveillance, purportedly restricting full control over the target's phone. Data breach at SpyX, a company providing parental control software, resulted in the leak of nearly two million account details, including sensitive user information. The report identifies misuse of spyware in countries including Italy, where notable journalists and humanitarian groups faced unwarranted surveillance. The U.S. military dismissed claims about possessing a 'kill switch' in F-35 jets, underlining the plane’s software and hardware security considerations. The ongoing use and export of spyware tools raise concerns about oversight and potential misuse internationally, impacting civil liberty groups and political dissenters.

Ongoing cyber attacks are targeting previously disclosed vulnerabilities in Cisco Smart Licensing Utility. Two critical vulnerabilities allow attackers administrative access and the ability to extract sensitive log data. Affected versions are 2.0.0, 2.1.0, and 2.2.0, but these have been patched in the latest release, version 2.3.0. The exploits are active even though patches were released by Cisco back in September 2024. Additional vulnerabilities, including an information disclosure flaw in Ncast products, are also being weaponized by attackers. The identity of the attackers and their ultimate objectives remain unclear. Organizations are urged to apply the patches immediately to prevent potential data breaches and system compromises.

Paige Thompson, convicted of stealing data from over 100 million Capital One customers and installing cryptomining software, may face a sterner sentence after an appeals court decision. Originally receiving a sentence of time served plus probation, the appeals court ruled this punishment as too lenient considering the severity of the data breach. Thompson exploited misconfigured AWS S3 cloud storage buckets to extract sensitive financial data and boasted about her activities on GitHub. The data theft resulted in approximately $40 million in damages and forced Capital One to pay hefty fines totalizing $270 million due to poor data security practices and customer lawsuits. The Department of Justice argues for stricter sentencing, highlighting the breach as the second largest US data theft incident to date. The appeals court emphasized that despite Thompson’s personal vulnerabilities due to her autistic and transgender status, the sentence must reflect the seriousness of the offense and federal sentencing goals. Thompson continued unlawful online activities and financial transactions even following her arrest.

Veeam has addressed a severe remote code execution vulnerability tagged CVE-2025-23120 in its Backup & Replication software, affecting domain-joined systems. The security flaw involves a deserialization issue in specific .NET classes, allowing potential attackers to remotely execute malicious code. The vulnerability predominantly affects the Veeam Backup & Replication version 12.3.0.310 and all prior version 12 builds, with a patch issued in version 12.3.1. Security research group watchTowr Labs discovered the flaw, noting Veeam's prior ineffective mitigation strategies, which involved blacklisting exploitable classes or objects. Ransomware gangs have previously targeted Veeam Backup & Replication servers, emphasizing the criticality of this vulnerability due to its potential to facilitate data theft and hinder data restoration. There are no current reports of this flaw being exploited in the wild, but detailed disclosures may prompt imminent threat actor exploration and exploits. Veeam strongly advises all users to promptly upgrade to the latest patched version and to adhere to best practice recommendations, including isolating backup servers from Windows domains.

Gokhan Gun, a U.S. Department of Defense electrical engineer, pleaded guilty to unauthorized retention of classified material. Gun, who held top-secret security clearance, printed 256 documents, totaling 3,412 pages, containing sensitive information. The FBI arrested Gun as he was preparing to leave for a trip to Mexico, with top secret documents found in his possession. He had been specifically trained on the secure handling and storage of classified documents, which he neglected by removing them from government premises. The incident occurred over a span from May to August 2024, with Gun printing many documents after normal working hours. Searches were conducted on Gun’s homes, vehicle, and media storage devices under FBI warrants. Gun faces up to five years in prison with sentencing scheduled for June 17. His actions raise concerns about potential security lapses and the mishandling of classified information within sensitive government sectors.

CISA has issued an alert to U.S. federal agencies regarding a critical vulnerability in NAKIVO's Backup & Replication software, urging immediate security measures. The vulnerability, identified as CVE-2024-48248, allows unauthenticated attackers to read sensitive files on impacted devices through absolute path traversal. Discovered by cybersecurity firm watchTowr, the flaw can lead to data breaches by exposing backups, credentials, and configuration files. Despite NAKIVO releasing a fix in November with Backup & Replication v11.0.0.88174, the flaw was not initially disclosed as actively exploited; however, recent insights have led CISA to classify it as such. Federal agencies have a three-week deadline until April 9 to patch the vulnerability, as per the Binding Operational Directive (BOD) 22-01. NAKIVO has a significant global presence with over 30,000 customers in 183 countries, underscoring the wide potential impact of the exploit. All organizations, not just federal ones, are advised to promptly patch their systems to mitigate potential risks posed by this security flaw.

Two VSCode Marketplace extensions, "ahban.shiba" and "ahban.cychelloworld," were found to contain early-stage ransomware. These extensions bypassed Microsoft's review processes and were available for download; "ahban.cychelloworld" was uploaded on October 27, 2024, and "ahban.shiba" on February 17, 2025. The ransomware, still under development, targeted files in a specific test directory and displayed a mock ransom demand, suggesting testing or proof-of-concept stage. ReversingLabs discovered the malicious code and alerted Microsoft, leading to the removal of the extensions from the VSCode Marketplace. Security researcher Italy Kruk indicated that their notifications about the ransomware went initially unanswered by Microsoft, showing potential oversight issues. This incident highlights significant lapses in Microsoft's extension review process, particularly highlighted by earlier and undetected updates containing the ransomware. Despite Microsoft's proactive removals in other instances, the delayed response here underscores challenges in their security practices and review prioritization.

Critical vulnerabilities in Cisco Smart Licensing Utility (CSLU) are now being actively exploited. Unpatched CSLU instances allow attackers to access systems with administrative privileges due to a hard-coded backdoor account. Two vulnerabilities identified as CVE-2024-20439 and CVE-2024-20440 expose remote administrative access and sensitive data leakage respectively. Attackers can exploit these vulnerabilities by sending crafted HTTP requests or using the hardcoded static password to gain access. The exploitations included chaining these flaws with other known vulnerabilities affecting different devices. Cisco initially patched these flaws in September but recent discoveries indicate ongoing exploitation attempts. Nicholas Starke published a detailed write-up on the vulnerability shortly after Cisco's advisory, which might have aided attackers. Cisco has previously addressed similar backdoor vulnerabilities in other products, indicating recurring issues with hardcoded credentials.

Veeam patched a critical Remote Code Execution (RCE) vulnerability, CVE-2025-23120, with a severity score of 9.9, affecting its Backup and Replication software, version 12.3.0.310 and earlier. The vulnerability can be exploited by any authenticated domain user if the Veeam server is part of the domain, despite Veeam's claim that joining a domain goes against its best practices. Critics, including researchers from watchTowr and Rapid7, argue that the authentication requirement is weak and that Veeam's software is frequently targeted by ransomware attacks. Over 20 percent of incident response cases handled by Rapid7 in 2024 involved attacks exploiting Veeam software, usually after initial network footholds were established by attackers. Veeam uses a blocklist to mitigate deserialization vulnerabilities, which has been criticized as insufficient compared to an allowlist, with researchers demonstrating how blocklist-based protections can be bypassed. Researcher Piotr Bazydlo criticized Veeam for assigning a single CVE identity to the bug despite discovering two separate gadgets that could lead to RCE, indicating potential oversight in addressing the full scope of the vulnerability. The criticism extends to Veeam’s approach to security updates, with suggestions that relying on updating a blocklist is reactive and consistently behind attacker capabilities.

A custom backdoor named Betruger has been linked to RansomHub ransomware operations, offering a range of malicious capabilities. Betruger aids in espionage activities like keylogging, credential dumping, network scanning, and other pre-ransomware deployment functions. Unlike typical ransomware attacks that rely on publicly available tools, Betruger is engineered to perform multiple malicious functions to streamline attacks. The malware disguises itself using filenames similar to legitimate mailing apps, such as 'mailer.exe' and 'turbomailer.exe'. RansomHub, utilizing Betruger, emerged as a major player in ransomware-as-a-service, targeting high-profile entities across various sectors including healthcare and government. Symantec's analysis suggests that the adoption of custom tools like Betruger signifies a strategic evolution in ransomware tactics. Although the primary function of most ransomware is data encryption for extortion, RansomHub has been more focused on data theft and extortion without necessarily encrypting data.

The UK's National Cyber Security Centre (NCSC) has issued guidelines for critical organizations to migrate to post-quantum cryptography (PQC) by 2035. The directive is aimed at government agencies, large enterprises, and critical infrastructure operators to protect against quantum computing threats. NCSC's guidelines include a structured migration plan with specific milestones and emphasize adopting NIST-approved PQC algorithms. These algorithms include ML-KEM, ML-DSA, and SLH-DSA, with HQC selected as an official backup algorithm. The guidance highlights the importance of upgrading security systems in response to advancing quantum technologies to maintain data security. Challenges identified in the migration process include issues with legacy systems, the need for specialized expertise, and complexities in the supply chain. The UK plans to introduce a pilot scheme to assist organizations with the migration by providing access to cryptography specialists for planning and execution. This initiative aligns with similar timelines set by the United States for federal systems through the National Security Memorandum 10 (NSM-10).

YouTube videos offering game cheats have been identified distributing a new type of stealer malware called Arcane, primarily among Russian-speaking users. Kaspersky's research shows that Arcane targets sensitive data, including VPN details, network utilities, and browser stored information like passwords and cookies. The malware spreads through password-protected archives linked in YouTube videos, with execution facilitated by batch files and PowerShell, which also disables Windows SmartScreen protections. Arcane not only gathers login credentials and system data but also collects screenshots, lists running processes, and Wi-Fi network passwords. The stealer utilizes the Data Protection API (DPAPI) to decrypt sensitive browser data and employs a unique utility, Xaitax, for cracking browser encryption keys. Recently, the attackers have introduced ArcanaLoader, promoted as a game cheat download tool, which further distributes the malware. This campaign has been primarily observed in Russia, Belarus, and Kazakhstan, reflecting targeted cybercriminal strategies in these regions. The flexibility in tool and method updates by the threat actors highlights their adaptability and focus on continuous malware evolution.

WP Ghost, a popular WordPress security plugin, is critically flawed allowing potential remote code execution. The vulnerability, identified as CVE-2025-26909, affects all WP Ghost versions up to 5.4.01. The flaw is due to insufficient input validation in the "showFile()" function, leading to possible arbitrary file inclusion. This vulnerability triggers Remote Code Execution depending on the server setup, specifically when WP Ghost’s "Change Paths" feature is in Lite or Ghost mode. Even without RCE, the flaw could facilitate dangerous actions like information disclosure and session hijacking. The issue was first reported internally by researcher Dimas Maulana, with a subsequent fix released in WP Ghost versions 5.4.02 and 5.4.03. Users are advised to update their WP Ghost plugin immediately to mitigate the risk associated with this vulnerability.