Daily Brief

Attackers target vulnerabilities in SonicWall firewalls following the public release of a PoC exploit. The CVE-2024-53704 flaw affects SonicOS versions and allows unauthorized network access by bypassing SSL VPN authentication. CISA has marked the severity of this vulnerability as critical, urging immediate firmware updates. SonicWall released patches on January 7 and provided mitigation steps to customers before making the vulnerability public. Arctic Wolf reports increased exploitation attempts post-PoC disclosure, necessitating urgent security upgrades. Roughly 4,500 unpatched SonicWall devices were found exposed online, heightening the risk. Previous incidents have seen SonicWall vulnerabilities exploited by ransomware affiliates, leading to network intrusions. Experts strongly advise disabling SSLVPN if updates cannot be applied promptly to mitigate risks effectively.

Cybersecurity researchers have unveiled a name confusion attack nicknamed "whoAMI" that exploits Amazon Machine Images (AMI) to execute code remotely within AWS accounts. The attack leverages the ability to publish a malicious AMI with a specific name to the AWS community catalog, potentially misleading software configurations to use it over legitimate ones. This method mirrors a dependency confusion attack but focuses on virtual machine images rather than software dependencies. AMI ID retrieval without specifying the "owner" attribute in the ec2:DescribeImages API aids in spreading this attack. Approximately 1% of organizations monitored have code susceptible to this attack across multiple programming environments. Amazon responded promptly to the disclosure by implementing a new account-wide setting, "Allowed AMIs," to help limit and secure AMI usage within customer accounts. Tools like HashiCorp Terraform have begun issuing warnings and are planning stricter measures in future versions to prevent such exploits.

The Lazarus Group, associated with North Korea, has initiated targeted attacks using a new JavaScript implant named Marstech1. This operation, named "Marstech Mayhem" by SecurityScorecard, involved distributing the malware through a GitHub profile called "SuccessFriend" which has been active since July 2024 but is now inactive. Marstech1 is capable of collecting system information, posing a significant supply chain risk, and has already affected 233 victims across the U.S., Europe, and Asia. The implant targets developers by embedding malicious code in websites and NPM packages, focusing on Chromium-based browsers and altering settings for cryptocurrency wallets like MetaMask. The malware showcases sophisticated evasion techniques including obfuscation and multi-stage encryption, signifying an advanced level of threat actor capability. Additional findings from Recorded Future point to broader espionage activities by North Korean IT workers, potentially acting as insider threats within organizations under the guise of regular employment. Three specific targets identified include a market-making company, an online casino, and a software development firm, compromised in the Contagious Interview campaign between October and November 2024.

A critical vulnerability, CVE-2024-53704, in SonicWall firewalls allows unauthenticated remote hijacking of SSL VPN sessions. The flaw was exposed following the public release of a proof-of-concept (PoC) exploit by security researchers. Impacted SonicOS versions affect multiple SonicWall Gen 6 and Gen 7 firewall models and SOHO series devices. SonicWall released patches for the bug on January 7 and advised customers to update or apply mitigation if updating was not immediately possible. Cybersecurity firm Arctic Wolf reported detecting attacks exploiting this vulnerability shortly after the PoC became public. Attackers can bypass multi-factor authentication, disclose private information, and interrupt running VPN sessions using the exploit. SonicWall initially communicated the need for updates in an email before going public, stressing the urgency due to high exploitation risks. Approximately 4,500 unpatched SonicWall SSL VPN servers were still exposed online as of early February.

A free game called PirateFi on Steam was found to distribute Vidar malware, impacting about 1,500 users. Steam has alerted users to reinstall Windows and conduct thorough system scans using antivirus software. PirateFi simulated a survival game experience, which seemingly attracted gamers but hid malware within its files. The Vidar malware targeted credentials and sensitive data stored in browsers, emails, and crypto wallets. Security experts advise changing passwords and enabling multi-factor authentication for affected users. Analysis identified the malware, which included different obfuscation techniques and varying command-and-control servers. Steam has faced similar incidents with malicious content in the past and has bolstered security measures, though challenges remain.

A high-severity SQL injection bug in PostgreSQL was exploited in a zero-day attack on the US Treasury. Security experts identified a critical bug, CVE-2025-1094, which was essential for executing remote code alongside another vulnerability in BeyondTrust products. The flaw affects all versions of the PostgreSQL interactive tool and allows arbitrary code execution through advanced SQL injection techniques. Despite BeyondTrust issuing patches that addressed CVE-2024-12356, the underlying issues of CVE-2025-1094 remained unaddressed until recently identified by Rapid7. The complexity of the exploit suggests limited risk of widespread attacks beyond those versions of BeyondTrust known to be vulnerable. Attackers leveraged advanced knowledge of the target technologies, underscoring a growing trend of sophisticated zero-day exploits. PostgreSQL has released updates as of February 13 to mitigate this vulnerability, highlighting effective collaboration and communication in the vulnerability disclosure process.

In December, attackers exploited a PostgreSQL zero-day along with a stolen API key to breach BeyondTrust, impacting 17 Remote Support SaaS instances. BeyondTrust confirmed the exploitation of two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, during the breach. The U.S. Treasury Department revealed its network was compromised in early January via a stolen BeyondTrust API key linked to Chinese state-backed hackers known as Silk Typhoon. Silk Typhoon targeted critical divisions within the Treasury, stealing unclassified data that could affect national security and trade sanctions. The hackers used two vulnerabilities to carry out espionage, which involved reconnaissance and data theft from sensitive U.S. government offices. Rapid7 identified a second PostgreSQL vulnerability (CVE-2025-1094), which was essential for the remote code execution in the BeyondTrust breach. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to patch the vulnerabilities urgently.

Chinese state-affiliated hackers known as Salt Typhoon have compromised multiple U.S. and global telecommunications providers. The hackers exploited unpatched vulnerabilities in Cisco IOS XE network devices, specifically CVE-2023-20198 and CVE-2023-20273. Recorded Future's Insikt Group identified breaches in networks of U.S. ISPs, a U.K. telecommunications affiliate, and providers in South Africa, Italy, and Thailand. Over 1,000 Cisco devices were targeted, with a significant number in the U.S., and more than 12,000 Cisco devices were found to be exposed online. The breaches are part of a long-term campaign by Salt Typhoon to gain persistent access to telecom networks via compromised Cisco devices. The FBI and CISA confirmed the extensive breaches in October, reporting compromised operations of several major U.S. telecom carriers. Insikt Group urges immediate application of security patches for Cisco IOS XE devices and advises minimizing exposure of network devices to the internet.

Two suspects linked to the New IRA were arrested and charged under the Terrorism Act 2000 for possessing leaked data of Northern Ireland police officers. The leaked data, originally from a botched Freedom of Information response, contained details of nearly 10,000 police staff, found online for several hours in August 2023. The acquisition of the data by suspects Brian Francis Cavlan and Rory Martin Logan appears to be through secondary sources, as the data had been extensively shared. The legal proceedings revealed that Cavlan stored parts of the data on his mobile device; his request for bail was denied due to high risks of reoffending. Logan, also found in possession of the spreadsheets since June 2024, did not apply for bail. A third individual was released pending further investigation, signaling ongoing police scrutiny. This incident is tied to broader security concerns and mental well-being issues among officers, amplified by the historical and political sensitivities in Northern Ireland. The breach has had profound consequences, including officers relocating for safety, significant workplace absences, and prompted a formal review concluding the event as catastrophic for UK police data security.

AI advancements have enabled cybercriminals to utilize generative AI for sophisticated social engineering attacks, posing new challenges for IT security. Traditional impersonation techniques are now bolstered with deepfake videos and voice cloning, adding authenticity to fraudulent communications. AI-powered tools can rapidly aggregate publicly available data, allowing attackers to build detailed profiles for targeted attacks. Language barriers are diminishing as attackers harness AI to create linguistically accurate and region-specific scam attempts. Large data breaches provide raw material for AI systems, sorting through vast amounts of information to find exploitable data. Recommendations include phasing out voice-based authentication in sensitive applications, reflecting the increased risk from voice cloning technologies. The democratization of hacking tools, facilitated by AI, allows even non-experts to execute large-scale attacks, increasing the threat landscape. Organizations are advised to use threat monitoring tools to detect potentially compromising information on the internet before it can be used for attacks.

Microsoft has identified a new cyber threat group, dubbed Storm-2372, engaging in sophisticated phishing attacks globally since August 2024. The attacks, likely linked to Russian interests, have targeted various sectors including government, defense, and technology across Europe, North America, Africa, and the Middle East. Storm-2372 utilizes a phishing technique known as 'device code phishing' to compromise accounts by tricking users into authenticating fake Microsoft Teams meeting invitations. Once authenticated, the attackers gain access to sensitive data and maintain persistent access using the stolen session tokens, enabling them to move laterally within networks. The attackers also exploit Microsoft's Graph service to conduct keyword searches in compromised accounts for sensitive information which is then exfiltrated. Microsoft recommends organizations enhance their defenses by blocking device code flow, enabling phishing-resistant multi-factor authentication (MFA), and adhering to the principle of least privilege.

RansomHub RaaS has targeted over 600 organizations worldwide across healthcare, finance, government, and infrastructure sectors in 2024. The group emerged in February, employing vulnerabilities in Microsoft Active Directory and the Netlogon protocol for domain control and lateral network movement. RansomHub upgraded its ransomware capabilities and advertised new variants on dark web markets, promoting remote data encryption via SFTP protocol. The group's recruitment strategy includes hiring affiliates from competitor groups like LockBit and BlackCat, enhancing its operational scope amid law enforcement crackdowns. Initial brute-force attacks facilitated network entry, escalating to domain control using previously known security flaws, leading to rapid data encryption and exfiltration. Sophisticated tools, including PCHunter and Filezilla, were utilized to disable security measures and perform data theft, setting the stage for ransom demands. The underlying ecosystem shared, reused, and rebranded cybercrime tools, indicating intricate collaboration and competition among high-profile ransomware operators. Concurrent developments reveal a robust ransomware scene evolving with varied attack vectors and affiliate incentives, reflecting broader cybersecurity challenges for organizations.

Germany's Federal Cartel Office is investigating Apple for potential breaches of competition law concerning its App Tracking Transparency framework (ATTF). The ATTF imposes strict tracking consent requirements on third-party developers but reportedly exempts Apple's own applications, potentially giving Apple a competitive edge. Meta (formerly Facebook) has been significantly impacted by the ATTF, with an estimated $10 billion loss in potential ad sales due to restrictions on cross-platform data usage. The regulator criticizes Apple for the design and wording of consent dialogues in its apps, which it argues are structured to more likely gain user approval compared to third-party app prompts. Apple's apps reportedly face fewer consent prompts than third-party apps, and the prompts supposedly inadequately disclose the extent of Apple's data processing. The investigation highlights concerns about Apple's "comprehensive digital ecosystem," which may allow Apple to leverage extensive user data for its own advertising advantages over competitors. This scrutiny comes after the Federal Cartel Office highlighted Apple's significant market influence in April 2023, leading to extended abuse control measures being applied to the company.

Threat actors exploited a zero-day vulnerability in BeyondTrust products, impacting Privileged Remote Access and Remote Support. A newly discovered SQL injection vulnerability in PostgreSQL, tagged as CVE-2025-1094, was simultaneously exploited. CVE-2025-1094 allows attackers to execute arbitrary code by injecting SQL via PostgreSQL’s interactive tool psql. The attack was identified during investigations into CVE-2024-12356, a patched flaw in BeyondTrust that allowed unauthenticated remote execution. PostgreSQL has issued an update after discovering the flaw arises from incorrect handling of UTF-8 characters enabling SQL injections. CVE-2025-1094 enables attackers to execute shell commands or SQL statements directly on the affected system. This dual software vulnerability exploitation was part of broader security findings that also noted an exploited flaw in SimpleHelp remote support software required to be patched by federal agencies by March 2025.

A Chinese government-backed espionage group, traditionally involved in cyber-spying, has reportedly ventured into ransomware attacks. Symantec identified that the group exploited a Palo Alto Networks authentication flaw to access and encrypt data from a South Asian software company. The attackers demanded a $2 million ransom, halved if paid within three days, encrypting the victim's data using RA World ransomware. The analysts noted the use of a custom PlugX backdoor, previously exclusive to Chinese espionage efforts, indicating the espionage group's involvement. Past operations by the same group include cyberattacks on European and Southeast Asian governmental organizations. There is speculation that this ransomware attack might be an independent act by an individual within the espionage group, aiming to profit personally. Other security analysts have observed a trend where national cyber-espionage agents engage in parallel criminal activities to support financial goals. This incident underscores growing concerns about the merging paths of state-sponsored and criminal cyber operations.