Daily Brief

Security engineers have exposed four critical vulnerabilities in Ivanti Endpoint Manager, all rated 9.8 in severity. The security weaknesses, identified as absolute path traversal flaws, were initially patched in January; however, further patches are now deemed necessary. A recent proof-of-concept exploit published by Zach Hanley showcases how these vulnerabilities can be exploited by unauthenticated attackers for server compromise. Attackers could potentially use the software’s web-based APIs to force the system to authenticate with a remote server, leaking sensitive NTLMv2 hashes. Although there have been no detected exploits in the wild, the release of PoC exploit code significantly raises the risk of attacks. Ivanti has responded by issuing a second version of the patch to correct issues caused by the first, particularly problems with the Windows "Action" tab functionality. Ivanti strongly advises all users to install the updated patches immediately to protect against potential security breaches.

Thailand is set to repatriate around 7,000 people from abusive scam call centers in Myanmar amidst a broader crackdown. These international scam operations have expanded into various regions beyond Southeast Asia, including South America and the Middle East. Victims, trafficked for cyber fraud, come from diverse nationalities and are often forced into scamming as a survival tactic. Interpol has highlighted the use of advanced technologies like cryptocurrencies and AI by scammers to enhance the authenticity and reach of their schemes. Common tactics in scam operations involve romance scams that emotionally manipulate victims into sending money for fictitious emergencies. The financial and psychological impact on victims is profound, potentially leading to significant financial loss and emotional distress. International collaboration and enhanced global law enforcement efforts are crucial in combatting the proliferation of such fraudulent activities. New cooperative measures are being implemented, including the establishment of coordination centers in Thailand to tackle these crimes more effectively.

Senior Linux developer, Greg Kroah-Hartman, advocates for Rust code integration to address memory safety issues in the kernel. Christoph Hellwig, another kernel maintainer, opposes the addition due to concerns about multi-language codebase maintenance. Rust was introduced into the Linux kernel in 2022 to improve memory handling over C, aiming to reduce common memory safety errors. Ongoing debates highlight the resistance from traditional C programmers and the adjustments needed within the developer community to accept Rust. Kroah-Hartman and other supporters argue that Rust offers a significant reduction in certain types of bugs, making it beneficial for new code and drivers. Linus Torvalds has sided with incorporating Rust, even if certain maintainers object, signaling a shift toward broader acceptance of Rust within the Linux development. The transition sparks discussions about balancing legacy code maintenance with adopting new, potentially more secure programming languages.

Microsoft has increased bug bounty payouts for moderate-severity vulnerabilities in its Copilot products to $5,000. The Copilot Bounty Program rewards researchers for identifying previously unknown vulnerabilities, with potential earnings between $250 and $30,000. The expansion now includes 14 types of vulnerabilities, beyond the initial three, reflecting the increased integration of generative AI across Microsoft products. Severity levels of vulnerabilities are classified into Critical, Important, Moderate, and Low, according to specific Microsoft severity classifications. Microsoft has also launched training initiatives for AI professionals, including workshops and access to R&D tools, under its Zero Day Quest program. Recent increases in bug bounty targets and rewards come amidst concerns about the security and privacy risks inherent in rapidly deploying generative AI technologies. Potential threats include data poisoning attacks that can lead AI models to generate incorrect or harmful outputs, posing real-world risks.

Microsoft recently addressed a security vulnerability in its Power Pages website-building platform, rated 8.2 on the CVSS scale, which allowed unauthorized access. The flaw, identified by Microsoft's employee, permitted attackers to exploit websites by bypassing user registration controls and elevating privileges. Although the vulnerability is now patched, Microsoft has contacted affected customers to check their sites for any signs of exploitation and provided guidance on remediation. Not all Power Pages users are impacted; only specific customers who have been notified need to take action. This incident underscores ongoing challenges with security in software-as-a-service (SaaS) solutions, even as providers like Microsoft continue to enhance security protocols. In a separate note, Microsoft also patched a high severity flaw in its Bing search engine, though there was no evidence of active exploitation. The company reassures that all necessary fixes have been applied and customers are protected, highlighting the proactive measures taken to ensure user security.

Apiiro has introduced two free, open-source tools aimed at preventing malicious code from being added to software projects. The tools, a ruleset for Semgrep and Opengrep and a GitHub-integrated scanner named PRevent, are designed to detect and alert on suspicious code patterns in pull requests. They target supply chain attacks by integrating security measures in CI/CD pipelines and during pull request reviews before code merges. The detection accuracy is notably high, with 94.3% for PyPI packages and 88.4% for npm packages, while PRevent flags 91.5% of malicious pull requests. Apiiro's strategy uses "code anti-patterns" identified during static analysis, which does not require code execution, thereby enhancing safety. Currently, the tools do not support detection in compiled binaries or direct scanning of npm and PyPI packages but future enhancements are planned. Despite the high effectiveness, limitations exist and BleepingComputer has not independently verified the performance or safety of these tools. Both tools are freely available on GitHub, complete with usage instructions, broadening access to advanced security measures.

An anonymous source leaked internal chat logs of the Black Basta ransomware gang, possibly affecting their operations. PRODAFT links the leak to Black Basta's alleged attacks on Russian banks, suggesting retaliation might be a motive behind the exposure. The leaks include phishing strategies, victim tactics, and cryptocurrency addresses used between September 2023 and September 2024. Analysis reveals 367 unique companies were likely targeted based on ZoomInfo links found within the compromised chats. Internal conflicts within the gang noted by PRODAFT as some members reportedly cheated victims by not providing decryption keys after ransom payments. Key members of the gang were identified in the leaked chats including individuals known by handles like Lapa, Cortes, YY, and Trump. The leak resembles previous disclosures from other ransomware groups, indicating a possible trend or method in cybercrime intelligence sharing or disruption.

Health Net Federal Services and parent company Centene Corporation agreed to an $11.25 million settlement over alleged cybersecurity lapses. The settlement resolves claims that HNFS falsely certified its compliance with critical cybersecurity standards mandated by a TRICARE contract from the Defense Health Agency. HNFS was accused of not implementing required cybersecurity measures while managing health benefits for U.S. military service members and their families across 22 states. The allegations include false certifications of compliance submitted on three separate occasions between 2015 and 2017. Despite the settlement, HNFS and Centene denied all allegations and asserted that no actual data breaches or loss of servicemember information occurred. The settlement does not exempt HNFS and Centene from future criminal liability, additional evidence, administrative penalties, or civil actions related to these allegations.

NioCorp Developments, a NASDAQ-listed US minerals company, reported a cyber-incident on Valentine’s Day resulting in a $500,000 loss due to a business email compromise. The attack involved unauthorized access to the company's email systems, with funds intended for a vendor being misdirected. Upon discovering the breach, NioCorp promptly notified financial institutions and federal law enforcement in hopes of recovering the stolen vendor payments. The company has initiated thorough investigations to contain, assess, and remediate the cybersecurity incident and to understand its full ramifications. While the attack currently appears limited to the misdirected payment, ongoing investigations will determine if further damage occurred. NioCorp, primarily engaged in developing critical mineral projects like niobium, scandium, and titanium in Nebraska, is still in the development stage without revenue generation. This financial loss is significant for NioCorp, which reported an $11.4 million net loss in the last financial statement, as the stolen amount represents nearly 4.5% of the annual net loss.

The Chinese state-sponsored group Salt Typhoon has been active in cyber espionage against U.S. telecom networks since at least 2019. Recent breaches have involved major U.S. telecom providers such as Verizon, AT&T, T-Mobile, and Lumen Technologies, compromising sensitive government communications. Salt Typhoon primarily uses stolen credentials to infiltrate network infrastructure, without reliance on newly discovered Cisco vulnerabilities. The group employs sophisticated methods like intercepting authentication traffic and lateral movement within network configurations for persistent access. Custom malware, specifically a tool named JumbledPath, is utilized to monitor and steal data by capturing network packets on compromised devices. Modifications to network configurations and the creation of hidden accounts were observed as methods for maintaining persistent access and evading detection. Recommendations from Cisco include monitoring SSH activity, log anomalies, and unexpected configuration changes to detect possible intrusions by Salt Typhoon. The broader context shows an increased focus by Chinese threat actors on exploiting edge networking devices using various techniques, emphasizing the importance of timely application of security patches.

Large Language Models (LLMs) are AI tools that process and generate human-like text, aiding within Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) platforms. LLMs boost security operations by supporting log analysis, incident triage, and enhancing overall security insights when combined with tools like Wazuh, an open source security platform. Specific use cases of LLMs in cybersecurity include threat intelligence integration, phishing detection, and providing contextual recommendations for incident remediation. LLMs' capacity to analyze and translate unstructured data aids security teams in synthesizing threat intelligence and detecting phishing more effectively than traditional methods. Operational integration examples detailed, such as using ChatGPT to enrich YARA malware detection alerts and Claude Haiku LLM providing real-time security assistance via Wazuh dashboard queries. Despite their advantages, it's noted that responses from LLM platforms should be reviewed due to potential inaccuracies.

Researchers uncovered two critical vulnerabilities in the Mongoose ODM library, affecting MongoDB databases. The vulnerabilities (CVE-2024-53900 & CVE-2025-23061) allow potential remote code execution (RCE) and data theft. CVE-2024-53900 was initially patched in Mongoose version 8.8.3, but a bypass was later discovered by security expert Dat Phung. The bypass, involving nested SQL injection via the $or operator, was subsequently patched in version 8.9.5. Despite patches, a significant number of downloads for the older, vulnerable version were reported, highlighting an ongoing risk. OPSWAT released proof-of-concept exploits for both vulnerabilities, emphasizing the urgency of updating affected systems. Mongoose's high popularity (over 27,000 GitHub stars and widespread use) underscores the substantial impact and broad attack surface. Experts advise upgrading to the latest Mongoose version (8.10.0) to mitigate risks associated with these vulnerabilities.

Microsoft issued a security bulletin to fix a high-severity elevation of privilege vulnerability in its Power Pages platform, labeled CVE-2025-23989. The vulnerability allowed unauthorized actors to elevate privileges and bypass user registration controls through improper access control. The issue was actively exploited as a zero-day before Microsoft addressed it at the service level. Impacted customers have been notified and provided with instructions on how to detect signs of exploitation and implement cleanup procedures. Microsoft also fixed a separate Bing remote code execution vulnerability identified as CVE-2025-21355, although it was not exploited. Admins are recommended to review activity logs and user registrations for suspicious activities and verify the roles of high-privileged users. Protections include enforcing multi-factor authentication and resetting affected credentials. Microsoft has implemented the necessary service-level corrections to mitigate the vulnerability and ensure customer safety against this specific threat.

North Korean hackers target freelance software developers through job-related schemes to deploy malware, as reported by ESET. The campaign, dubbed DeceptiveDevelopment, uses job interview invitations to deliver malware, including two malware families named BeaverTail and InvisibleFerret. The malicious effort, initially linked to Lazarus Group, has been active since late 2023 and focuses on cryptocurrency theft. Attackers use fake recruiter profiles and trojanized project codebases on GitHub, GitLab, or Bitbucket to facilitate initial compromise. Subsequent stages of the malware deployment involve constructing and executing the project or installing compromised video conferencing software. The primary targets are developers in the crypto and decentralized finance sectors, with widespread victim locations including the U.S., India, Italy, and others. These sophisticated scams do not only aim to siphon funds but also strive to steal substantial login and wallet information from victims. This operation is part of a broader pattern by North Korean state-sponsored actors to diversify into cryptocurrency theft to fund regime activities.

Two individuals were apprehended by Police Scotland in connection with a crypto fraud case where a 75-year-old man from Aberdeen lost a six-figure sum in cryptocurrency. The arrests took place in Coventry and Mexborough, involving collaboration between regional police forces: West Midlands and South Yorkshire Police. Both suspects, aged 54 and 36, face charges related to cryptocurrency fraud, with their case set to be reviewed by the Procurator Fiscal in Scotland. Detective sergeant David Williamson emphasized the commitment of the police to protect the public from fraud and urged vigilance against suspicious activities. The broader context of the case highlights a troubling trend of scammers targeting elderly individuals, often involving impersonation and sophisticated deception tactics. The Register sought further details on the methods used in the scam, but the information remains undisclosed by the respective police forces. This incident is part of a larger pattern, with similar cryptocurrency scams increasing in prevalence and severity in the US and other regions, showing a significant financial impact on victims.