Daily Brief

Lee Enterprises, a major US newspaper publisher, confirmed a ransomware attack caused significant operational disruptions. The attack, occurring on February 3, encrypted vital applications and exfiltrated files, leading to a systems outage. Print and digital distribution were delayed, affecting daily newspapers and impacting online operations. As of February 12, while core products resumed normal distribution, smaller publications remain affected, representing 5% of total revenue. Lee continues to assess the risk of sensitive data or personally identifiable information (PII) exposure, though no conclusive evidence has been found yet. Temporary measures, like manual processing and alternative distribution channels, were implemented to sustain critical operations. The company is working on a recovery plan, anticipating gradual restoration over the coming weeks. This event recalls a previous cyber incident in 2020, where Lee was targeted by Iranian hackers aiming to disrupt the US election.

Juniper Networks identified a critical security flaw in their Session Smart Routers, Session Smart Conductor, and WAN Assurance Router products. The vulnerability, tracked as CVE-2025-21589, has a high severity score of 9.8 on the CVSS v3.1 scale and 9.3 on the CVS v4 scale. It allows network-based attackers to bypass authentication measures and gain administrative control over the devices. Affected routers include multiple versions up to SSR-6.3.3-r2; updated versions have patched the vulnerability. Juniper performed internal security testing and research to discover the flaw before any known malicious exploitation occurred. Devices connected to the Mist Cloud and using WAN Assurance received automatic patches, though manual updates are recommended for all affected systems. This vulnerability underscores the critical importance of continuous monitoring and immediate patch management in network devices to protect against potential unauthorized access.

Despite media focus on AI, current data shows traditional attack techniques still dominate. Picus Labs' Red Report 2025 analyzed over one million malware samples, finding no significant rise in AI-driven attacks. Credential theft has notably increased, jumping from 8% to 25%, highlighting the need for enhanced credential management. 93% of malware utilizes at least one of the Top 10 MITRE ATT&CK techniques, with exfiltration and stealth tactics being most common. Security teams are advised to focus more on behavioral analysis rather than solely on signature-based detection to identify sophisticated threats. Modern threats typically involve multiple attack stages, making early detection and continuous security validation crucial. Picus Security emphasizes returning to cyber security fundamentals, such as robust credential protection and advanced threat detection, to effectively counter prevailing threats.

Winnti, linked to China, targeted Japanese companies in manufacturing, materials, and energy via its RevivalStone campaign in March 2024. The campaign was identified by Japanese cybersecurity firm LAC and is associated with global espionage efforts linked to the APT41 group. The attacks leveraged SQL injection vulnerabilities to install web shells and Winnti malware for data theft and persistent access. Recent tactics include exploiting enterprise resource planning (ERP) systems, using stealth to avoid detection and establishing remote access. The group specifically used enhanced versions of malware like China Chopper and Winnti, with features like obfuscation and enhanced encryption. Winnti has expanded its reach by compromising a managed service provider (MSP), using the MSP's infrastructure to target additional firms. The campaign also hinted at the use of new malware versions (Winnti v5.0) and tools named TreadStone and StoneV5, indicating evolving threat tactics. Another Chinese group, Daggerfly, was also mentioned for a separate Linux-based attack strategy, emphasizing ongoing nation-state cyber threats.

Security flaws identified in Xerox VersaLink C7025 Multifunction Printers could allow malicious acquisition of Windows Active Directory credentials. Attacks exploit vulnerabilities via Lightweight Directory Access Protocol (LDAP) and SMB/FTP services, enabling unauthorized configuration changes in printers. CVE-2024-12510 and CVE-2024-12511 are the specific vulnerabilities that allow redirection of authentication data to servers controlled by attackers. Successful exploitation demands either physical access or web interface control, with potential adjustment of LDAP, SMB, or FTP settings. Xerox addressed the flaws with Service Pack 57.75.53 for various printer models following responsible disclosure on March 26, 2024. Users are advised to implement complex admin passwords, limit privileged Windows accounts, and disable remote control access pending updates. The report coincides with another significant vulnerability in widely deployed healthcare software, potentially impacting 23 healthcare organizations.

Indian Directorate of Enforcement seized over $200 million in assets linked to the BitConnect cryptocurrency scam. BitConnect falsely promised investors 40% monthly returns through a "lending program" involving cryptocurrency contributions. The scheme, akin to a Ponzi scheme, funneled investors’ funds into wallets controlled by founder Satish Kumbhani and promoter Glenn Arcaro. Glenn Arcaro pled guilty to conspiracy charges in 2023, agreeing to pay restitution of over $17 million to victims. Substantial effort was made by Indian authorities to track crypto transactions through Dark Web and physical devices to locate the stolen funds. Seized assets include cryptocurrencies, immovable properties, and a luxurious Lexus vehicle. Despite significant recovery, the seized assets represent less than ten percent of BitConnect's initial estimated holdings of $2 billion worth of Bitcoin. Future plans for the recovered assets remain undetermined as investigations continue both in India and internationally.

Cybersecurity experts have discovered a new malware campaign targeting e-commerce platforms, particularly those using Magento. The malware cleverly disguises itself within <img> HTML tags, using a base64-encoded JavaScript that triggers on an onerror event. This technique helps the malware stay undetected by masquerading as a simple image tag error, evading usual security measures. Once triggered, the script specifically targets users on checkout pages, dynamically inserting a fake payment form to capture credit card details. The collected data is then exfiltrated to an external server under the control of the attackers. This attack indicates a broader trend where cybercriminals continuously evolve their methods to remain covert, ensuring their malicious activities go unnoticed for longer periods. The incident underscores the importance of robust security measures and frequent monitoring to detect and mitigate such sophisticated threats.

JPMorgan Chase will block Zelle payments to social media merchants to combat rising online scams. Reports indicate nearly 50% of scam claims filed by Chase's customers between June and December 2024 originated from social media platforms. Starting March 23, Chase will begin declining Zelle transactions identified as originating from social media to enhance user protection. Zelle is designed for transactions between known parties, and Chase aims to remind users that it is not intended for commercial payments to unfamiliar sellers. The decision may be linked to a CFPB lawsuit accusing Zelle's operators and owning banks of inadequate consumer protections, leading to significant fraud losses. The CFPB alleges consumers lost over $870 million via Zelle, driven by hasty market entry and poor safeguards by major banks. Chase's initiative reflects a broader industry move toward securing digital transactions amidst escalating cybercrime concerns.

Microsoft is discontinuing the Location History feature in Windows, affecting how apps like Cortana access device location data. The feature allowed apps to access up to 24 hours of device location history; however, this capability will soon be removed. The API involved, 'Geolocator.GetGeopositionHistoryAsync', will no longer support storage or retrieval of local location data. Developers using the Windows.Devices.Geolocation API are advised to modify their applications to avoid potential functionality issues. Users will have the option to disable location services entirely and remove any previously collected location data. Microsoft has yet to provide specific reasons for the change, but further updates are expected as BleepingComputer follows up. The location services setting will also be eliminated from Windows Settings under Privacy & Security.

X (formerly Twitter) is now automatically blocking links to "Signal.me," citing them as potential spam or malware. Attempts to share Signal.me links on X, whether in posts, messages, or bios, are met with error messages. This block appears to be a recent action, as users could previously share Signal.me links without issues. Links from Signal.me are uniquely used for sharing contact information securely via the Signal messaging app. Other Signal URLs, like Signal.org, and third-party messaging service URLs, including those from Telegram, are not blocked. The reasons behind this specific blocking of Signal.me links remain unclear, though speculation suggests potential political motives. Historically, X has temporarily restricted links to competing platforms, reflecting its changing approach under new ownership. This issue was highlighted amidst scrutiny over the platform's owner, Elon Musk, and his management of the Department of Government Efficiency.

Microsoft has detected a new variant of the XCSSET malware targeting macOS, introducing sophisticated obfuscation and persistence tactics. This updated version features advanced methods to evade detection and includes new infection strategies that were not present in earlier models. The malware exploits macOS systems by mutating Apple Xcode projects and has capabilities that affect even the latest macOS versions and Apple's M1 chipsets. XCSSET can now extract sensitive data from applications such as Google Chrome, Telegram, and Evernote, in addition to previously targeted Apple Native apps. The malware utilizes exploits like CVE-2021-30713 to perform actions like taking screenshots without additional permissions, showcasing its intrusive capabilities. In its newest form, XCSSET malware sets a deceptive persistence mechanism by manipulating macOS's Dock items to ensure its activation with each system start. The origins of XCSSET malware remain unclear, but its continuous evolution highlights significant risks to macOS users.

Microsoft identifies an updated variant of the XCSSET macOS malware, focusing on stealing cryptocurrency. This malware, distributed via infected Xcode projects, has evolved with enhanced obfuscation and persistence. Key changes include a new method for maintaining presence via .zshrc files and using a signed dockutil tool for infection. The malware impacts Apple's integrated development environment, posing risks to a broad user base. Targets include sensitive user data such as logins, digital wallets data, and Notes app content. Microsoft advises developers to rigorously inspect Xcode projects, especially those sourced from unofficial repositories. Apple had previously addressed a zero-day vulnerability in 2021 exploited by XCSSET, highlighting ongoing threats from this malware variant.

Microsoft has identified a new iteration of the XCSSET malware targeting macOS, marking its first update since 2022. This updated version includes improved obfuscation methods, enhanced persistence mechanisms, and new infection vectors for greater evasion. The primary method of infection remains through corrupted Xcode projects, which can spread unknowingly through shared GitHub repositories. XCSSET now uses advanced encoding techniques, including Base64, and employs randomization in encoding payloads to evade static analysis and threat detection. Persistence is achieved using methods like the zshrc and dock approaches, allowing the malware to automatically execute in shell sessions or via the macOS dock. The malware continues to target digital wallets and extract sensitive information from system files like Notes. Microsoft warns developers to thoroughly verify Xcode projects and encourages downloading apps only from reliable sources, though no specific indicators of compromise were provided.

Loken is an innovative tool designed to simplify and enhance the process of web design through intuitive, interactive CSS adjustments akin to using a music synthesizer. Developed by Berlin-based solo entrepreneur Steve Mitchell, Loken facilitates an explorative approach in web design, ideal for designers uncertain of their final design vision. The tool enables designers to manipulate design elements seamlessly, creating outputs such as color palettes and gradient styles by linking simple input commands. The platform is built to generate design tokens directly, streamlining how design elements integrate with website coding, circumventing traditional CSS typing. Mitchell’s inspiration stemmed from his background in front-end development and his experiences with the limitations of existing design tools. Set to launch its version 1.0 in February, Loken targets both seasoned designers and those without extensive programming or design experience. The web and Electron app, currently implemented in PHP using Laravel, focuses on backend support features like CRM, user management, and payment processing. Although not open-source, Loken might share certain components and tools as free open-source software (FOSS) while growing its user base organically without venture capital support.

South Korea has temporarily stopped the downloads of the Chinese AI chatbot DeepSeek due to violations of data protection laws. The suspension, imposed by the Personal Information Protection Commission (PIPC), commenced on February 15, 2025, affects only new app downloads while web services remain active. PIPC's investigation into DeepSeek revealed shortcomings in the app’s communication features and its handling of personal information with third-party services. Despite having a local representative, DeepSeek admitted to overlooking South Korean privacy laws during its initial launch. The app's suspension will persist until necessary changes are made to align with the Personal Information Protection Act. Users with the app already installed are advised to exercise caution by avoiding the input of personal information until further notice. Prior critiques from South Korea's National Intelligence Service highlighted DeepSeek's excessive data collection and insecure data transmission practices. PIPC aims to enforce and enhance regulatory compliance to prevent future occurrences of similar privacy issues.