Daily Brief

Google’s Threat Intelligence Group highlights increasing cooperation between nation-states, specifically Russia, China, Iran, and North Korea, and cybercriminals to enhance their cyber operations. The report urges global lawmakers to prioritize cybersecurity, particularly urging incentives for adopting secure development practices and enhancing national security policies. Governmental bodies and private sectors are encouraged to invest in cybersecurity resilience, emphasizing the importance of secure systems and applying negative reinforcement through programs like CISA’s KEV. Google's insights denote not just a convergence but a reliance of states on illicit cyber markets for tools and operational capabilities, potentially blurring the lines of attribution in state-sponsored cyber activities. The robust cybercriminal ecosystem reportedly acts as a catalyst for state-backed cyber operations, offering resources that are cheaper and more deniable than state-developed alternatives. Google’s report calls for heightened international cooperation and effective disruptions in the cybercrime infrastructure, including taking action against bulletproof hosters and crypto exchanges. Highlighted economic disruptions and attacks on healthcare underscore the extended reach and impact of these collaborations, showing serious national security implications.

CISOs are increasingly integral in guiding AI strategies and cross-functional teams within organizations. The article introduces the "CLEAR" framework to aid security leaders in enhancing the adoption and governance of AI technologies. A key aspect of the CLEAR framework is maintaining an AI asset inventory to comply with various regulatory requirements. Security teams are encouraged to proactively identify and train on AI use cases, rather than restricting them, to enhance AI literacy in line with upcoming regulations like the EU AI Act. The enforcement of AI policies is crucial, with emphasis on balancing usability with control to mitigate risks effectively. Real-world AI applications for security tasks such as detection, response, and data loss prevention are highlighted as beneficial. The integration of AI oversight into existing frameworks like NIST AI RMF and ISO 42001 is recommended to avoid creating redundant governance structures. CISOs are advised to leverage the CLEAR approach to demonstrate their leadership and value in their organization's AI journey.

Google corrected two vulnerabilities that revealed YouTube users’ email addresses, posing a significant privacy risk. The vulnerabilities involved leaking Google Gaia IDs via YouTube and converting them to email addresses using Pixel Recorder. These issues could have led to privacy breaches for anonymous content creators, activists, and whistleblowers. The flaw was initially discovered in Google's Internal People API, which exposed Gaia IDs using a YouTube blocking feature. Researchers modified the blocking feature’s API call to extract Gaia IDs for any YouTube channel. An outdated Pixel Recorder API converted these IDs into associated email addresses, without notifying the affected users via normal channels. Google fixed the vulnerabilities by adjusting how the blocking feature works and disabling the Gaia ID to email conversion process. The fixes occurred after researchers demonstrated the exploit, originally considered a duplicate issue, increasing their bug bounty reward.

North Korea-linked hackers, known as Kimsuky, are using a deceptive tactic involving PowerShell to hijack devices, posing as South Korean officials to gain victims' trust. The attackers send spear-phishing emails with PDF attachments that lead victims to websites instructing them to run PowerShell scripts as administrators. Following instructions on the malicious website results in the downloading of a remote desktop tool and a certificate with a hardcoded PIN, allowing hackers remote access to the device. This method of exploitation has been seen in limited attacks since January 2025, marking a shift from the group’s usual techniques. Similar strategies have been adopted by other North Korean groups, employing user-executed commands to bypass conventional security measures. Concurrently, an Arizona woman has pled guilty to aiding North Korean IT workers in illicitly gaining employment at U.S. firms, facilitating identity theft and fraud, resulting in millions in illicit revenue. The scheme involved using stolen identities to secure remote IT jobs, creating false tax liabilities and conveying false information to the U.S. Department of Homeland Security. Identified breaches by North Korean IT workers include data theft and extortion, threatening to release proprietary data unless ransom demands are met.

Microsoft released fixes for 63 vulnerabilities in its software products, including two being actively exploited. Three vulnerabilities are rated as Critical, 57 Important, one Moderate, and two Low severity. The vulnerabilities include CVE-2025-21391 which can be exploited for deleting crucial data and CVE-2025-21418, a privilege escalation flaw. CVE-2025-21418 exploitation mirrors previous North Korean Lazarus Group activities, potentially complicating its attribution. High severity flaws also patched, including a remote code execution vulnerability (CVE-2025-21198) in the HPC Pack, rated CVSS 9.0. All federal agencies are required by CISA to apply these updates by March 4, 2025, to prevent potential breaches and escalations. Other vendors also released security updates recently, highlighting the ongoing need for vigilance across software platforms.

Ivanti has issued security patches for Connect Secure, Policy Secure, and Cloud Services Application to address critical vulnerabilities. The flaws could enable attackers to execute arbitrary code if exploited. While there are no current reports of these vulnerabilities being exploited in the wild, Ivanti has historically been a target for sophisticated cyber attacks. Ivanti is enhancing its security measures, including internal scanning, manual testing, and better collaboration within the security community. The company has also become a CVE Numbering Authority to improve their vulnerability disclosure process. Details on other security issues were disclosed, including a patched flaw in SonicWall's SonicOS and new vulnerabilities in Fortinet's FortiOS, both concerning major cybersecurity providers. The urgency for applying these updates is amplified by the ongoing targeting of Ivanti products by nation-state actors for espionage purposes.

Microsoft's February Patch Tuesday delivers 63 updates, including six released earlier, focusing on various security vulnerabilities. Two existing vulnerabilities are actively exploited; both require local and authenticated access, impacting Windows components like Winsock and Windows Storage. Notable mentioned issues include potential hypervisor compromise on Surface devices and an NTLMv2 hash leak vulnerability. Microsoft highlighted severe remote code execution risks in high-performance computing clusters and urgent patches for Excel enabling remote code execution. Changes to certificate-based authentication on domain controllers starting February 2025 require admin attention to avoid service disruptions. Alongside Microsoft, other vendors like Adobe, SAP, and Fortinet also released multiple patches addressing critical vulnerabilities in their products. Adobe patches focus on cross-site scripting and critical code execution flaws, particularly in Adobe Commerce and design software like InDesign and Illustrator. Fortinet fixes a critical authentication bypass vulnerability, marking it critical for immediate attention during the upcoming security updates.

Fortinet has revealed a new authentication bypass vulnerability (CVE-2025-24472) in FortiOS and FortiProxy, leading to enterprise network breaches by granting attackers super-admin privileges. The vulnerability affects multiple versions: FortiOS 7.0.0 to 7.0.16 and FortiProxy 7.0.0 to 7.2.12. The security patch has been issued in newer versions of these software products. Attackers exploited this flaw and a previously disclosed vulnerability (CVE-2024-55591) to insert rogue admin users, modify firewall policies, and access SSLVPN instances for internal network entry. The attacks, detected since at least mid-November, involve unauthorized administrative logins and modifications on exposed firewall management interfaces over the Internet. Arctic Wolf Labs has reported observing related attacks with similar indicators of compromise, suggesting a widespread and possibly multisource hacking campaign. Organizations are urgently advised to disable or secure management interfaces on public-facing devices to avoid unauthorized access. Fortinet's responsiveness includes the development of patches for both vulnerabilities and advice on interim protective measures for affected systems.

The US Coast Guard lacks a comprehensive cybersecurity strategy for the nation's maritime transportation system, which supports an economy of $5.4 trillion and over 30 million jobs. The Government Accountability Office (GAO) audit reveals significant gaps including an insufficient strategy document, lacking details on national security risks, measurable targets, and unclear implementation roles. The Coast Guard struggles with accessing complete data on cybersecurity vulnerabilities and past cybersecurity inspection results. Increasing threats from nation-state actors and transnational criminal groups, including targeted ransomware attacks by groups like BlackBasta. The technical vulnerabilities of IT and operational technology networks supporting maritime operations heighten the risk of catastrophic cyberattacks. Critical cybersecurity personnel vacancies within the Coast Guard remain unfilled, hampering the ability to strengthen maritime cyber defenses. The GAO has recommended several measures to enhance cybersecurity practices, which the Department of Homeland Security has agreed to adopt.

Cisco announced the incorporation of AMD's Pensando DPUs into its Nexus 9300 switch series at Cisco Live Amsterdam, enhancing security, storage, and data handling capabilities. The new switches are equipped with Cisco’s E100 ASIC from the Silicon One family, supporting network capacities up to 4.8 Tbps. The smart switches offer various configurations, including 24 x 100 Gbps ports or a 56-port top-of-rack model with multiple port options. Pensando's DPUs, like the Elba and Giglio models, enable the offloading of intensive networking, security, and storage tasks from the main ASIC, aiming to improve system efficiency. These DPUs are not Cisco’s most recent versions but still provide robust match processing, encryption, and storage offload capabilities, with each tailored to optimize certain power requirements. Cisco’s Hypershield, a hyperscale distributed security service, will be enabled on these DPU-equipped switches to provide enhanced security across Cisco’s networks without dedicated firewalls. Shipments of the 24-port Nexus 9300 switches are set to start in the upcoming spring, with the larger 56-port model following in the summer.

Key Linux kernel maintainers endorse integrating Rust to improve memory safety, despite not all maintainers agreeing. Miguel Ojeda released a "Rust kernel policy" document, reaffirming the project's continuation and addressing recent disputes in kernel development. Tensions have risen between traditional C programmers and those pushing for Rust, leading to resignations and public disagreements. Linus Torvalds criticized the turning of technical debates into social media spectacles, highlighting the need for keeping politics out of kernel development. Notable departures include Hector Martin from the Asahi Linux project and Wedson Almeida Filho from Rust for Linux, citing frustrations with non-technical disputes. In light of ongoing debates, broad adoption of Rust within the Linux kernel is expected to be gradual and contingent on the evolving composition of the kernel community. The Rust for Linux project demonstrates viability and continued support from influential figures in the field, indicating potential future expansion of Rust code in the kernel.

Triplestrength, an emerging cybercriminal gang, simultaneously uses ransomware attacks, cloud account hijacking for cryptomining, and other illicit activities to target organizations. The group has been particularly noticeable on cybercrime forums since 2020 and leverages older ransomware variants such as Phobos, LokiLocker, and RCRU64 through ransomware-as-a-service models. Unlike typical double-extortion tactics, Triplestrength uses "old school" ransomware operations, encrypting victim's files and demanding payments without initially stealing the data. Initial access to networks has been gained through brute-force password attacks on services like remote desktop protocols, avoiding the need for exploiting zero-day vulnerabilities. The gang has moved its cryptomining operations from victim's on-premises machines to hijacked cloud servers across platforms like Google Cloud, AWS, and Linode, incurring significant costs to the affected organizations. Google's threat intelligence team links the group to illicit cryptomining due to online postings and accounts used for both ransomware spread and cryptomining operations. Triplestrength's activities have major financial implications for victims, costing organizations potentially hundreds of thousands of dollars in cloud computing fees while the criminals earn considerably less per victim.

Fortinet recently identified a new zero-day vulnerability (CVE-2025-24472) affecting FortiOS and FortiProxy, enabling attackers to obtain super-admin rights. Attackers exploit this vulnerability through malicious CSF proxy requests impacting versions FortiOS 7.0.0 to 7.0.16 and FortiProxy 7.0.0 to 7.2.12. This issue is distinct from another previously documented CVE (CVE-2024-55591), though both exploit authentication bypass tactics targeting similar software versions. The exploitation has resulted in unauthorized administrative logins, creation of new user accounts, and modifications to firewall policies and SSL VPN configurations. Arctic Wolf Labs documented a campaign of attacks on Internet-exposed FortiGate firewall management interfaces, suspected to begin around mid-November. Organizations are advised to disable management access on public interfaces and apply relevant security updates or configure local-in policies as interim protective measures. Fortinet acknowledged awareness of ongoing exploits and is actively investigating with its Product Security Incident Response Team (PSIRT).

Microsoft's February 2025 Patch Tuesday addressed 55 security flaws, including four zero-day vulnerabilities, two of which were actively exploited. The actively exploited zero-days include a Windows Storage Elevation of Privilege and a Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. Also fixed were three critical vulnerabilities categorized as remote code execution vulnerabilities. Among the publicly disclosed but not yet exploited zero-days were a Microsoft Surface Security Feature Bypass Vulnerability and an NTLM Hash Disclosure Spoofing Vulnerability. The NTLM vulnerability exposes a user's NTLM hashes potentially allowing attackers to impersonate users. Fixes were also issued for Microsoft Dynamics 365 and Microsoft Edge earlier in the month. The updates come alongside similar security updates from other technology companies, emphasizing a broad response to current cyber threats.

AUKUS (Australia, the UK, and the US) and their allies imposed sanctions on Zservers, a Russian bulletproof hosting provider accused of supporting the LockBit ransomware group. Zservers, based in Barnaul, Russia, reportedly provided crucial infrastructure services that facilitated ransomware attacks, including chatroom hosting for negotiations with victims. The UK's sanctions also target XHOST Internet Solutions, Zservers' UK front company, potentially subjecting business affiliates to criminal and civil penalties. The operation's purported heads, Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, managed Zservers' marketing to ransomware groups and handled related cryptocurrency transactions. These sanctions are viewed as a strategic move to disrupt a significant component of the global cybercrime ecosystem, affecting not only ransomware operators but other illicit activities supported by bulletproof hosting. The international collaborative effort emphasizes deepening concerns and proactive measures among nations to combat cybersecurity threats emanating from entities operating within Russia.