Daily Brief

The UK's COO Cat Little acknowledged the need for competitive salaries to attract top cyber talent in government roles. Current public sector pay is too low compared to the private sector, limiting recruitment of skilled cybersecurity professionals. A National Audit Office report criticized the UK government's slow progress towards cybersecurity resilience by 2025. The debate over public sector salaries heightened when former chief of staff Sue Gray earned more than the Prime Minister. Government aims to replace high-cost contractors with permanent, skilled officials like CISOs and CIOs for better cost efficiencies. Highlighted was the strain put on resources by ransomware attacks, specifically citing financial impact on the British Library in 2023. Legacy systems within the government are immense and varied, with hundreds classified as out-of-date, compromising cybersecurity. The decentralized nature of data about legacy systems and information sharing leads to gaps in understanding and addressing these vulnerabilities.

Microsoft has released updates addressing 57 security vulnerabilities, including six zero-days actively exploited in the wild. The vulnerabilities patched include 23 remote code execution bugs, 22 privilege escalations, and range in severity from low to critical. Among the actively exploited zero-days, CVE-2025-24983 discovered by ESET involved a use-after-free vulnerability in the Win32k driver, exploitable via the PipeMagic backdoor. PipeMagic, a plugin-based trojan first identified in 2022, used fake OpenAI ChatGPT applications for distribution and targeted entities primarily in Asia and Saudi Arabia. The trojan operates by creating and interacting with a named pipe that allows it to receive encoded payloads and commands from a control server hosted on Microsoft Azure. CVE-2025-26633 and CVE-2025-24985 are examples of other critical vulnerabilities exploited, affecting system components and file system drivers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to their Known Exploited Vulnerabilities catalog, with a mandated fix deadline for federal agencies by April 1, 2025. Other vendors have also released security updates to mitigate vulnerabilities over recent weeks, indicating a continued emphasis on cybersecurity across various software platforms.

Apple released a patch for a zero-day flaw in WebKit, identified as CVE-2025-24201. The vulnerability allowed highly sophisticated cyber attacks via malicious web content. It affected earlier iOS versions before 17.2, aiming at specific targeted individuals. The flaw was an out-of-bounds write issue risking sandbox escape in the web content. The patch includes improved checks to enhance security and prevent unauthorized actions. Apple's security update is crucial as it includes fixes for three zero-days exploited this year. Devices running on older iOS versions were urged to update to receive protection. Details about the discovery of the flaw or the duration and specifics of the attacks remain undisclosed.

A senior penetration tester at CISA, Christopher Chenoweth, reported the termination of his team due to a contract cancellation by DOGE, a unit led by Elon Musk. Over 100 cybersecurity professionals were impacted when DOGE canceled contracts at the Department of Homeland Security, leading to the disbandment of two critical red teams. Following the contract terminations, CISA's ability to conduct penetration testing and other cybersecurity activities has been severely diminished. The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) also faced closure due to funding cuts by the Department of Homeland Security, halting their work on election security. The Center for Internet Security indicated that the cessation of EI-ISAC support threatens election offices' ability to withstand nation-state cyber threats independently. Communities risk increased vulnerability to cyberattacks on local government structures, schools, and emergency services due to the lack of federal cybersecurity support. As affected cybersecurity professionals seek new job opportunities, the broader impact on national cybersecurity and critical infrastructure protection remains significant.

Microsoft's latest Patch Tuesday addresses over 50 security issues, including six critical vulnerabilities and six zero-day exploits. Notable among the zero-days are three NTFS-related vulnerabilities, with one allowing remote code executions via a specially crafted virtual hard disk. Adobe corrected nine security flaws in its products, emphasizing six critical vulnerabilities that permit arbitrary code execution. Apple addressed a significant security flaw in Safari's Web Content sandbox, exploited in targeted attacks against specific individuals. Critical bugs in Windows Remote Desktop Services and DNS Server were disclosed with high severity ratings, requiring immediate attention. Google also released patches for over 40 vulnerabilities in Android, highlighting two under limited, targeted exploitation. All organizations are advised to apply these security updates promptly to mitigate potential risks and secure system integrity.

North Korean group Lazarus is using npm to distribute six malicious packages, downloaded 330 times. The packages, designed to steal sensitive data like cryptocurrency information, use typosquatting to trick developers. Malware in the packages includes BeaverTail and InvisibleFerret backdoors, extracting data from browsers and cryptocurrency wallets. Lazarus has conducted previous attacks on GitHub and the Python Package Index, accessing networks for large-scale heists. The compromised packages remain accessible on npm and GitHub, posing an ongoing threat. Developers are urged to rigorously validate open-source packages and monitor for unusual code activities.

Apple has issued an emergency update to address a zero-day vulnerability in its WebKit browser engine, affecting various devices and platforms. The security flaw, identified as CVE-2025-24201, was exploited in highly sophisticated attacks targeting specific individuals before iOS 17.2. The vulnerability allowed attackers to use specially crafted web content to escape the Web Content sandbox and perform unauthorized actions. Devices running iOS, iPadOS, macOS, and visionOS have received patches in the latest updates to mitigate this vulnerability. The affected range includes both older and newer models of Apple devices, emphasizing the broad impact of the bug. This incident marks one of several zero-day vulnerabilities Apple has addressed this year, with prior fixes released for other critical issues in January and February. While Apple has not disclosed the attackers or detailed specifics of the attack, the urgency and nature of the patches underscore the vulnerability's severity. Users are strongly encouraged to install the latest security updates immediately to protect against potential exploitation of this and other similar vulnerabilities.

Microsoft's March 2025 Patch Tuesday included updates for 57 security flaws and fixed seven zero-days, six of which were actively exploited. The patches addressed three critical vulnerabilities that could allow remote code execution, all linked to flaws in the system. Actively exploited zero-days involved vulnerabilities in Windows NTFS and the Win32 Kernel Subsystem that could elevate privileges or disclose information. Among the zero-days, CVE-2025-24985 and CVE-2025-24993 were remote code execution vulnerabilities triggered by mounting specially crafted VHD files. A security feature bypass vulnerability in Microsoft Management Console was also patched, which could allow .msc files to bypass Windows security features. The publicly disclosed zero-day, CVE-2025-26630, involved a use-after-free bug in Microsoft Office Access that required phishing or social engineering to exploit. Other companies also released security updates in March 2025, indicating a widespread response to vulnerabilities affecting various systems and applications.

Over 86,000 records containing personal and medical information of nurses were left unsecured in an S3 bucket by ESHYFT, a company likened to "Uber for nurses." Cybersecurity researcher Jeremiah Fowler discovered the unprotected, unencrypted database, which included facial images, IDs, medical and financial records. Despite Fowler notifying ESHYFT of the exposure on January 4, the database remained publicly accessible for over a month before being secured. The leak is alarming given the healthcare sector's high risk for cybercrime, which involves ransom demands and potential privacy litigation. The data exposed could be exploited for identity theft, employment fraud, and targeted attacks on healthcare facilities and their staff. ESHYFT’s platform connects healthcare professionals with temporary shifts at various healthcare facilities and has been downloaded over 50,000 times. Fowler highlighted the risk of sensitive data exposure when files are visible for delivery via apps or web portals, stressing the need for enhanced data security measures like encryption.

Blind Eagle, also known as AguilaCiega and APT-C-36, has been actively targeting Colombian institutions and government entities since November 2024, exploiting a Microsoft Windows flaw (CVE-2024-43451). The threat group employed social engineering, spear-phishing emails, and remote access trojans including AsyncRAT, NjRAT, Quasar RAT, and Remcos RAT to infiltrate systems. Attacks featured a new payload distribution method involving Bitbucket and GitHub, moving beyond traditional platforms like Google Drive and Dropbox. More than 1,600 victims were compromised in a December 2024 campaign, highlighting the scale and effectiveness of Blind Eagle's operations. Utilization of a packer-as-a-service named HeartCrypt and a variant of PureCrypter indicates advanced malware obfuscation techniques to evade detection. Check Point uncovered a GitHub repository revealing operational details including the threat actor’s operating timezone (UTC-5) and a file containing sensitive account-password pairs from various Colombian sectors. The rapid integration of new exploits and tactics post-patch release illustrates Blind Eagle’s technical agility and persistent threat capability.

The FTC is distributing $25.5 million to victims of a tech support scam, with individual refunds averaging about $34 each. The refund follows a settlement with two Cyprus-based companies, Restoro and Reimage, which were accused of deceiving consumers with misleading computer repair services. These companies employed scare tactics, often displaying fake Microsoft Windows pop-ups indicating virus infections, prompting victims to pay for unnecessary repairs. The scam operations began at least in 2018, with the companies barred from misrepresenting their services in future dealings as part of the settlement. Payments made by victims initially ranged from $27 to $58, but follow-up calls sought to extort up to $500 more. One of the scam targets was an undercover federal agent, leading to further exposure of the fraudulent practices. The FTC's action came after long-standing tracking of the companies by credit card issuers and payment processors due to suspicious activities. These refunds are part of a broader FTC initiative, which returned more than $337 million to consumers affected by various scams in 2024.

MassJacker is identified as a clipboard hijacking malware, targeting cryptocurrency wallet addresses on Windows systems. CyberArk uncovered the operation, revealing it’s manipulated at least 778,531 wallet addresses to redirect transactions to a controlled Solana wallet with over $300,000 in transfers. The malware disguises itself in pirated software downloads from pesktop[.]com, initiating through a complex script that leads to the final MassJacker payload. The operation appears centralized, suggested by uniform use of file names and encryption keys across different instances, but may still operate under a malware-as-a-service model. Clippers used in MassJacker constantly monitor and alter clipboard data, replacing legitimate wallet addresses with ones owned by attackers. Despite appearing low-risk, CyberArk stresses the importance of further research into such cryptojacking operations to potentially identify involved threat actors and mitigate broader security risks. Technical evasion techniques include Just-In-Time hooking, metadata token mapping, and a custom virtual machine to obfuscate the malicious code's activities and analysis.

A PHP remote code execution vulnerability, identified as CVE-2024-4577, impacts Windows PHP installations in CGI mode. The vulnerability was patched by PHP maintainers in June 2024, but exploitation attempts began shortly after, including sophisticated credential theft and system compromises. Proof-of-concept exploit code was released by WatchTowr Labs a day after the patches, leading to widespread exploitation efforts. GreyNoise has observed significant activity, identifying 1,089 unique IP addresses exploiting this vulnerability globally, mainly from Germany and China. Attackers have used this vulnerability to execute arbitrary code, with some targeting Japanese organizations and others extending their reach to include systems worldwide. Post-exploitation activities noted by Cisco Talos include persistence establishment, privilege escalation, and deployment of advanced tools like the “TaoWu” Cobalt Strike kit. The vulnerability has been used by cybercriminals, like the TellYouThePass ransomware gang, to deploy webshells and encrypt data, indicating a broad range of attack methodologies. Observations suggest a coordinated spike in scans and exploitation attempts against multiple countries in February 2025, hinting at automated operations to find and attack vulnerable systems.

State-sponsored APT groups are leveraging Google's Gemini AI to enhance coding and scripting capabilities, aiding in cyberattack preparation. Cyberattackers are employing AI to craft sophisticated phishing emails, contributing to a nearly 200% increase in email-based attacks year-over-year. Generative AI, while advancing rapidly, poses significant security risks including deepfake threats and potential AI model poisoning. Cybersecurity firms are utilizing AI to counteract AI-driven threats by developing AI-powered chatbots and enhancing endpoint detection and response systems. Innovative AI applications in cybersecurity allow for automated threat hunting, issue resolution recommendations based on past incidents, and scripted response generation. Script generation through AI is reducing dependence on skilled engineers, minimizing human error, and accelerating cybersecurity response efforts. The integration of AI technologies in cybersecurity is progressively enabling both novice and expert users to manage security threats more efficiently. The ongoing development of AI-based tools is crucial as both the potential of AI to aid cybersecurity and its use by cybercriminals continue to grow.

PowerSchool, a major K-12 software provider, suffered extensive data breaches revealed by a CrowdStrike investigation. Initial unauthorized access occurred in August and September 2024, months before the major breach in December. Hackers exploited compromised credentials to access and steal sensitive data including SSNs, medical data, and academic records. Despite extortion payment to hackers, there is no evidence of stolen data being published or sold as of January 2, 2025. The December breach allowed unauthorized access from December 19 to 28, 2024, with no signs of malware use or privilege escalation reported. The total impact of the breach remains unclear, but it is estimated to have affected millions of students and teachers across 6,505 districts. PowerSchool faces criticism for lack of transparency regarding the full extent and details of the data compromised.