Daily Brief

Continuous Threat Exposure Management (CTEM) is introduced by Gartner in 2022 as a proactive cybersecurity approach. CTEM integrates the strengths of Vulnerability Management (VM) and Attack Surface Management (ASM) to offer continuous monitoring and threat validation. The guide details how CTEM helps businesses manage cyber risks by prioritizing threats based on their business impact. Unlike traditional VM which is reactive, CTEM provides a holistic view of both internal and external threats and uses simulated attacks for rapid response. CTEM is designed to complement existing VM and ASM solutions, enhancing rather than replacing current systems. It balances security needs with business functionality, avoiding disruptions while maintaining security. The downloadable guide also lists market solutions for CTEM implementation, tailored to various business needs.

Russian-linked threat actors are exploiting device code phishing to access Microsoft accounts. Phishing tactics include sending falsified Microsoft Teams invitations to victims. Victims who click on these phishing links are prompted to authenticate using a device code generated by the attackers. Once authenticated, attackers gain access to sensitive data and maintain persistent access to the victim’s environment. Microsoft and Volexity have identified at least three distinct Russian-linked clusters employing this technique. The technique allows attackers to hijack authenticated sessions using valid access tokens, posing major security risks. Users are urged to be cautious with email authentication requests and to verify the legitimacy of unexpected communication links.

Netskope Threat Labs identified a new backdoor malware compiled in Golang, using Telegram for C2 communications. The malware checks if it's running from a specific file path ("C:\Windows\Temp\svchost.exe"); if not, it relocates itself to ensure persistence. It employs an open-source Golang library to enable Telegram Bot API communication, allowing it to execute commands remotely. Currently, the malware implements three out of four possible commands, including a not fully operational screenshot feature. Commands are communicated back to the attackers via a Telegram channel, enhancing stealth and evasion capabilities. The malware exhibits potential Russian origins, evidenced by the command prompts sent in Russian. The use of cloud-based applications like Telegram complicates defense mechanisms against such threats, exploiting the ease of setting up and controlling the malware remotely.

Security researcher Brutecat exposed two linked vulnerabilities in Google services that could reveal YouTube user email addresses through the People API and Pixel Recorder. This disclosure led to Google enhancing its bug bounty payout to $10,633 after recognizing the vulnerabilities' high potential for exploitation. In a separate incident, Fortinet revealed a critical vulnerability (CVE-2024-40591) in FortiOS allowing privilege escalation, significant enough to consider during system updates. The Kraken ransomware group claimed to have compromised Cisco, allegedly obtaining sensitive information, although Cisco contends the issue was resolved in a previous incident. The Department of Government Efficiency introduced a poorly designed website, doge.gov, which quickly showed signs of vulnerabilities and design flaws, potentially exposing it to unauthorized changes. Zacks Investment Research suffered a significant data breach with 12 million user details leaked online, including sensitive personal information and unsalted password hashes. The FBI successfully thwarted numerous cryptocurrency investment scams in the U.S., saving potential victims over $285 million with Operation Level Up, by educating them on recognizing fraudulent schemes.

Fujitsu's North America CEO, Asif Poonja, predicts reduced technology investment due to impending US tariffs, potentially hindering the company's growth targets amid a strategic shift to AI-centric services. Pacific Island nations have been targeted by Chinese state-sponsored cyber group APT40, employing modified malware for persistent network access, undetected activities, and sensitive data exfiltration. The U.S., along with allies Japan and Australia, strive to enhance cybersecurity in the Pacific region, countering China's growing influence through infrastructural and economic propositions. Papua New Guinea's tax authority rapidly recovered from a ransomware attack, emphasizing the strength of its business continuity planning and ongoing commitment to cybersecurity. McDonald's China collaborates with Tencent Cloud to manage demand spikes through auto-scaling solutions, optimizing costs and customer experiences during varying traffic periods. AWS introduced a new Singaporean English voice for its Polly text-to-speech service, capturing unique local pronunciation nuances. China launched its Long March 8A rocket, enhancing its capacity for deploying low-Earth-orbit satellites, aiming to build a satellite internet service to compete with global providers like SpaceX. South Korea warns against the Chinese AI chatbot DeepSeek for collecting extensive personal data, biasing historical information, and differing cultural acknowledgments based on language settings.

Google Chrome has updated its "Enhanced protection" feature by integrating AI to provide "real-time" security against malicious websites, downloads, and extensions. The AI-enhanced security feature has been released on Chrome’s stable channel across all platforms following three months of testing in the Canary version. Enhanced protection, a component of Google's Safe Browsing service, utilizes AI to detect and alert users about new and potentially harmful sites not previously identified by Google. The feature extends its capabilities to perform in-depth scans of downloads, aiming to identify suspicious files more effectively. While the AI integration marks a significant step forward in proactive internet security, the feature requires users to opt-in, as it is turned off by default. Users can activate the AI-enhanced Enhanced Protection from the Settings > Security menu on devices operating on Windows, Android, and iOS. Google notes that when Enhanced Protection is enabled, it entails sending browsing data to Google, which could raise privacy concerns among users.

Palo Alto-based startup Zyphra introduces Zonos text-to-speech models capable of cloning voices using short audio samples. The models utilize cutting-edge transformer and hybrid transformer-Mamba architectures and were trained on over 200,000 hours of diverse speech data. Despite concerns, Zyphra ensures data was ethically sourced, not from data brokers, predominantly using English with substantial volumes in other major languages. The technology can produce realistic audio capable of fooling family and friends, though minor pacing issues are noticed with longer samples. Deployment on local hardware is straightforward using Docker containers; users can manage output quality through adjustable hyperparameters via a Gradio web GUI. The potential for misuse is significant, ranging from scams to generating fake messages, highlighting the controversial nature of such technologies. Legitimate uses also exist, such as helping individuals with vocal impairments regain their ability to speak, underlining the technology's dual-edged impact.

A new malware, FinalDraft, utilizes Outlook email drafts to manage command-and-control communications, targeting a South American ministry. Discovered by Elastic Security Labs, the malware forms part of an attack chain including PathLoader and various post-exploitation tools. FinalDraft facilitates data exfiltration, proxying, process injection, and lateral movement, all while remaining difficult to detect due to its use of email drafts instead of sent emails. The malware obtains an OAuth token for persistent Microsoft Graph API access, allowing continued covert operations. FinalDraft supports 37 commands, enabling versatile and stealthy remote control capabilities. A Linux variant of the malware also exists, employing multiple communication protocols for flexibility. The broader REF7707 campaign linked to the malware suggests a wider focus on espionage, with targets in Southeast Asia also identified. DEF7707's advanced tactics contrast with operational security errors that ultimately exposed the attackers.

A Steam game called PirateFi was found distributing Vidar infostealing malware, affecting up to 1,500 users. The game was available on Steam from February 6th to February 12th and appeared as a survival strategy game. Users who downloaded the game are advised to perform a full system scan, check for unrecognized software installations, and consider reinstalling the operating system. SECUINFRA identified the malware and urged affected users to change passwords and enable multi-factor authentication for security. The malicious software was embedded in a file within the game, using sophisticated obfuscation techniques and different command-and-control servers. This incident is part of a trend of malware attacks on Steam, including previous cases involving Dota 2 and Slay the Spire. Despite Steam's efforts and new security measures such as SMS-based authentication, the incident highlights ongoing vulnerabilities in the platform's protection against malware.

Nearly a decade after his influential book, Bruce Schneier revisits the state of personal privacy, which remains severely compromised by both governments and corporations. Despite minor legal adjustments, such as the USA Freedom Act, bulk surveillance by government entities like the NSA continues largely unabated. Corporate surveillance has intensified, with data harvesting prevalent for AI training and tech monopolies and Invisible data brokers intensifying their monitoring activities. Individual measures to protect privacy are largely ineffective in the face of ubiquitous surveillance technologies like smartphones and IoT devices. European GDPR offers some protection against corporate surveillance, but comprehensive privacy laws in the US remain unlikely. Schneier suggests a bleak short-term outlook for privacy, with some hope for change in the distant future, likening current data practices to historical sweatshops. End-to-end encryption provides a minor win for privacy, but ongoing advancements in AI could undermine these gains as personal assistants may require access to extensive personal data.

Microsoft has identified a phishing campaign by "Storm-237," possibly tied to Russia, targeting Microsoft 365 accounts through device code phishing. Affected sectors include government, NGOs, IT, defense, telecommunications, health, and energy across North America, Europe, Africa, and the Middle East. Storm-237 employs device code phishing, exploiting devices with limited input capability to gain unauthorized access to victims' Microsoft services like email and cloud storage. Attackers initiate contact impersonating prominent individuals via messaging platforms, then send fraudulent meeting invites containing malicious device codes. Once the code is entered on a legitimate Microsoft sign-in page, it grants attackers access to users' data without requiring a password. Microsoft warns that the attackers can generate new tokens using a specific client ID for Microsoft Authentication Broker, posing further threats. To combat these attacks, Microsoft advises blocking device code flows where feasible, enforcing strict Conditional Access policies, and monitoring sign-in logs for suspicious activity. Immediate revocation of user's refresh tokens and re-authentication is recommended if device code phishing is suspected.

Google is developing a new Android feature to strengthen security by blocking changes to sensitive settings during phone calls. This security measure prevents the installation of apps from unknown sources and restricts accessibility access while on a call. Users receive a warning message if they attempt these actions during a call, indicating the potential for a scam. The feature is part of Android 16 Beta 2, focusing on increasing difficulties for fraudsters using telephone-oriented attack delivery methods. Previous tactics by cybercriminals involved using SMS and phone calls to trick users into installing malware, such as the dropper app Vultr. In response to ongoing security challenges, Google has expanded restricted settings and introduced automatic blocking of unsafe app sideloading in several markets.

Russian-associated cybercriminals, identified as Storm-2372, have been distributing fake Microsoft Teams meeting invites as part of a sophisticated phishing campaign targeting governmental and business sectors. Microsoft has linked this phishing operation to efforts supporting Russian state interests, with attacks being reported since August 2024 across Europe, North America, Africa, and the Middle East. The attack involves a technique known as "device code phishing," where victims are manipulated into providing account access details including usernames, passwords, and multi-factor authentication (MFA) responses. Attackers initiate contact through messaging platforms, build rapport, and then send phishing emails containing falsified Teams invites that direct victims to legitimate Microsoft login pages to enter device verification codes. Once a victim authenticates with the provided device code, attackers gain access to valid access tokens, allowing unauthorized entry to email and cloud storage accounts without further credentials. Storm-2372 exploits the obtained access to send additional phishing messages within the compromised network, expanding their reach and control over other accounts. Microsoft, maintaining vigilance over this and similar threats, advises limited use of device code flow and immediate revocation of user tokens upon suspicion of such phishing attempts.

SonicWall firewalls are vulnerable due to a severe authentication bypass bug (CVE-2024-53704) affecting the SSL VPN feature in SonicOS. The flaw enables remote attackers to bypass user authentication, hijack VPN sessions, and gain unauthorized network access. Arctic Wolf has observed active exploitation attempts shortly after proof-of-concept exploit codes were made public. Although SonicWall disclosed the vulnerability in early January and released patches, many devices remain unpatched as of February 2025. Attackers, including suspected nation-state actors and ransomware groups, have historically targeted SonicWall devices. Bishop Fox researchers demonstrated the exploitation of the flaw in unpatched systems, describing the attack as "trivial". SonicWall has issued urgent advice to update affected devices immediately or disable the SSL VPN functionality as a temporary measure. Despite the release of fixes and the critical nature of the vulnerability, approximately 4,500 SSL VPN servers were still unpatched as of early February 2025.

Hackers are exploiting a high-severity vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS firewalls allowing them to bypass authentication. The exploited flaw impacts the PAN-OS management web interface, enabling unauthorized access to invoke PHP scripts and compromise system integrity. Palo Alto Networks has released patches and advises users to upgrade their firewalls to secure versions, especially since PAN-OS 11.0 is no longer supported. The vulnerability was disclosed by Assetnote, who outlined detailed exploitation methods once the patch was made available. Attackers can use this exploit to extract sensitive data, alter firewall configurations, or manipulate settings within PAN-OS, using the path confusion between Nginx and Apache. GreyNoise observed active exploitation attempts starting from February 13, originating from various IP addresses. Over 4,400 PAN-OS devices with exposed management interfaces are currently online, increasing the risk of exploitation. Users are urged to apply patches promptly and limit access to firewall management interfaces to mitigate risks.