Daily Brief

Democratic members of the House Committee on Homeland Security and Senate Intelligence Committee are pressing for clarity on the effects of the federal workforce hiring freeze on U.S. national security. The freeze, initiated by President Trump, includes an unspecified exemption for "national security" positions, raising concerns about the vagueness and its impact on cybersecurity roles within federal agencies. The Democrats are particularly concerned about the Cybersecurity and Infrastructure Security Agency's (CISA) apparent inability to fill positions critical for protecting federal networks and infrastructure. The letter highlights growing risks to national security due to potential shortages in qualified cybersecurity personnel, exacerbated by the OPM's buyout offers which may reduce available expertise further. A separate letter from Senate Democrats alleges that Elon Musk’s Department of Government Efficiency (DOGE) may be compromising U.S. security by accessing sensitive and classified materials without proper oversight or adherence to standard security protocols. The Senators are alarmed that DOGE personnel have not undergone standard background checks, thereby increasing the risk of insider threats and leakage of classified information. Both groups of legislators have set deadlines for the Trump administration to respond, stressing the urgency of transparency and accountability in handling national security and personnel management.

CISA issued a warning to U.S. federal agencies about ongoing attacks exploiting a critical vulnerability in Microsoft Outlook, identified as CVE-2024-21413. The flaw, discovered by Check Point researcher Haifei Li, allows remote code execution due to improper input validation in handling emails with malicious links. Microsoft had previously patched this vulnerability and warned that the Preview Pane could serve as an attack vector, facilitating exploit without opening the email. Attackers are utilizing the Moniker Link technique to bypass Outlook’s Protected View and execute arbitrary code through malicious Office documents. The vulnerability impacts several Microsoft Office products including Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Outlook 2016. Exploitation of this vulnerability can lead to theft of NTLM credentials and execution of arbitrary code by opening specially crafted Office documents. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog and mandated federal agencies to secure their systems within three weeks. CISA also advises private organizations to prioritize patching this flaw to mitigate potential risks associated with these exploits.

Researchers at Field Effect confirmed that vulnerabilities in SimpleHelp RMM are actively exploited to deploy Sliver malware. Attackers are creating unauthorized administrative accounts and establishing connections from an Estonian server to carry out their operations. Initial breach techniques include exploiting RMM client vulnerabilities to execute discovery commands and gather extensive network and system information. Post-exploitation activities involve installing a Sliver framework for ongoing control and potentially setting up infrastructure for Akira ransomware attacks. Observations indicate attempts to identify and circumvent the CrowdStrike Falcon security suite, highlighting the sophistication of the threat actors. To maintain persistence, attackers compromise key network points like Domain Controllers and install stealthy backdoors. Field Effect urges all SimpleHelp users to promptly apply security updates for CVEs -2024-57726, -2024-57727, -2024-57728 and monitor for suspicious administrator accounts or connections.

Hackers are exploiting vulnerabilities in SimpleHelp RMM to access corporate networks and potentially facilitate ransomware deployment. Vulnerabilities identified are CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, with active exploitation confirmed by cybersecurity firm Field Effect. Attackers initially gain access through the SimpleHelp RMM client, using it to perform reconnaissance and create administrative accounts for persistent access. Techniques observed include deploying the Sliver post-exploitation toolkit and establishing a Cloudflare Tunnel to evade security measures. The attackers also targeted security software by searching for and attempting to bypass CrowdStrike Falcon. SimpleHelp has released updates to patch these vulnerabilities and advises customers to restrict RMM access to trusted IPs. Companies are urged to monitor for unfamiliar administrator accounts and unknown external IP connections as described in Field Effect's report.

Cisco has addressed critical vulnerabilities in its Identity Services Engine (ISE) that could allow authenticated remote attackers to execute commands as root. The flaws, CVE-2025-20124 and CVE-2025-20125, enable attackers with read-only admin access to bypass authorization and modify system configurations or reload devices. The CVE-2025-20124 issue involves insecure deserialization of Java byte streams and has a high severity rating of 9.9 out of 10. Affected products include Cisco ISE and Cisco ISE Passive Identity Connector appliances, regardless of their configuration. Cisco advises administrators to upgrade their systems to the patched versions listed to mitigate the vulnerabilities. Alongside these issues, Cisco also alerted users about separate high-severity vulnerabilities in its IOS, IOS XE, IOS XR, and NX-OS software, which include potential DoS and signature verification bypass risks. There is no evidence these critical vulnerabilities have been exploited in the wild; proactive patching and system updates are strongly recommended.

Bohemia Interactive's games, including DayZ and Arma Reforger, are experiencing ongoing DDoS attacks leading to server connectivity issues. The attacks began last Friday, and despite efforts, players continue to face difficulties accessing the games online. Bohemia Interactive has acknowledged the issues and apologized, but has not provided specific details or timelines for resolution. Community frustration is growing, with increasing demands for refunds and criticisms over lack of transparency. Alternatives such as playing against AI locally or on experimental servers have been proposed but met with limited satisfaction from players. A group named 'styled squad reborn' has claimed responsibility for the DDoS attacks, but this has not been confirmed by Bohemia Interactive. Rumors suggest motivations ranging from ransom demands, which were later claimed as a joke, to political/ideological protests related to game content. The official Bohemia Interactive website is currently non-functional, further complicating communication and resolution efforts.

Bogus websites promoting Google Chrome have been distributing malware-infected installers encoding a remote access trojan named ValleyRAT. ValleyRAT, which surfaced in 2023, is linked to the Silver Fox threat actor group, known for its focus on Chinese-speaking regions including Hong Kong, Taiwan, and Mainland China. The malware targets individuals in critical organizational roles, especially in finance, accounting, and sales, aiming to access private data and systems. Attack methods previously included drive-by downloads targeting Chinese-speaking users of Windows via fake Chrome installer packages, akin to those used to deploy Gh0st RAT. Recent attack vectors involve a fake Google Chrome site that gets users to download a ZIP file with a malicious "Setup.exe." This setup file checks for administrative privileges and then pulls additional malicious payloads. ValleyRAT can monitor screen content, capture keystrokes, and maintain persistence on infected machines. It communicates with a remote server for further malicious activities, including downloading and executing additional payloads. Analyst Shmuel Uzan mentioned that signed legitimate applications vulnerable to DLL search order hijacking were exploited to facilitate payload injections.

British engineering company IMI plc announced a security breach with unauthorized system access. IMI, a global leader in precision fluid engineering, operates in 50 countries and is listed in the FTSE100 Index. The company has enlisted external cybersecurity experts to investigate and mitigate the breach. Details including the breach’s impact on operations or data theft are yet to be disclosed. IMI pledged to meet regulatory obligations and promised further updates in due course. No immediate comment was available from IMI representatives regarding further details. This incident follows similar recent disclosures by other major companies like Smiths Group and Conduent.

Ransomware payments totaled $813.5 million in 2024, down from $1.25 billion in 2023 according to Chainalysis. The average ransom payment increased to $553,959 in Q4 2024, while the median payment saw a significant drop of 45% to $110,890. Despite more ransomware cases, the number of victims opting to pay decreased, attributed to faulty decryption tools and distrust of cybercriminals. The cybercrime landscape saw the entry of newer groups targeting smaller organizations with smaller ransom demands after major players like LockBit collapsed. Law enforcement efforts in cracking down on cybercriminal networks and crypto laundering services have disrupted financial incentives for ransomware operations. Industrials sector was most affected, experiencing 27% of all ransomware attacks in 2024. Most prevalent ransomware variants were Akira, Fog, and RansomHub, with new entrants using psychological tactics and exploiting VPN vulnerabilities.

SparkCat malware infiltrates both Apple and Google app stores, affecting apps posing as AI, food delivery, and Web3 platforms. Utilizes optical character recognition (OCR) to extract cryptocurrency wallet mnemonic phrases from images in victims' photo libraries. The campaign has been active since March 2024, with Apple detecting one of the first OCR-stealer instances in its app store. Infected Android apps have been downloaded over 242,000 times; employs Google's ML Kit library for text recognition. SparkCat communicates with command-and-control (C2) servers using a Rust-based mechanism, a rare feature in mobile apps. Specifically targets users in Europe and Asia, believed to be orchestrated by Chinese-speaking threat actors. Uses legitimate-sounding permissions requests to camouflage its malicious activities within functional apps. Disclosure ties into broader concerns about malware in official app stores and the rise of information stealer attacks on various operating systems.

Privileged Access Management (PAM) is becoming integral to cybersecurity strategies with projections to become a $42.96 billion market by 2037. PAM solutions boost security, ensure regulatory compliance, and facilitate operational efficiency across industries. Insider threats, often underestimated, account for 31% of data breaches, emphasizing the need for strong PAM systems. The rise of sophisticated cyberattacks, powered by AI and ML, necessitates advanced PAM features to protect against state-sponsored and organized crime threats. Hybrid work environments increase the complexity of managing privileged access, thus underscoring the importance of robust PAM solutions. Regulatory pressures like GDPR, HIPAA, and PCI DSS demand meticulous access controls and incident response strategies; PAM can help organizations meet these requirements. Modern PAM systems integrate with SIEM, UAM, and IT ticketing systems for enhanced security and operational oversight. PAM not only secures assets but also drives operational efficiencies, reduces IT workload, and can lead to cost savings through reduced cyber insurance premiums.

North Korean hacking group Kimsuky has initiated spear-phishing attacks using forceCopy malware to steal browser-stored credentials. The attack chain starts with phishing emails containing deceptive Windows shortcut files, appearing as Microsoft Office or PDF documents. Opening these attachments launches PowerShell or mshta.exe to download and execute further malicious payloads, including the PEBBLEDASH trojan and a modified RDP Wrapper. The forceCopy malware targets web browser directories to bypass security and extract credential configuration files. In addition to forceCopy, a PowerShell-based keylogger and proxy malware are deployed to facilitate persistent external network communications via RDP. This operational shift marks a strategic evolution from Kimsuky's usual use of custom backdoors for similar purposes. The group, known by multiple aliases and affiliated with North Korea's primary foreign intelligence service, has been active since at least 2012 and is skilled in evading email security measures.

Ransomware continues to pose significant threats globally by targeting hospitals, banks, and small companies, demanding ransom in Bitcoin with no certainty of data recovery. LockBit, a well-known ransomware, uses a Ransomware-as-a-Service (RaaS) model, evading security measures with double extortion tactics, which allows affiliates widespread distribution across various sectors. LockBit attacks manifest through altered file icons and ransom notes within simulated environments, enabling security teams to analyze and block threats proactively using tools like ANY.RUN's Interactive Sandbox. Lynx, a new ransomware targeting small to medium-sized businesses, exploits weaker security systems to encrypt data and threaten leaks on public and dark web sites unless a ransom is paid. ANY.RUN's sandbox analysis offers insights into Lynx's operational tactics, providing critical data on preventing breaches by simulating ransomware attacks and testing defense strategies without risking actual systems. Virlock, a self-replicating ransomware first seen in 2014, uniquely combines file encryption with polymorphism, spreading through cloud storage and collaboration platforms. Preventive measures against ransomware include the use of interactive analysis tools like ANY.RUN, which monitors and simulates ransomware behavior in a secure environment, offering detailed reports and enabling strategic defense enhancements.

Cisco has released updates for two critical vulnerabilities in its Identity Services Engine (ISE). The flaws allow remote attackers to execute arbitrary commands and elevate privileges on affected devices. Attackers can exploit these vulnerabilities by sending a crafted serialized Java object or an HTTP request to a specific API endpoint. The vulnerabilities do not rely on each other, and there are no alternative mitigations aside from updating. Deloitte security experts, Dan Marin and Sebastian Radulea, identified and helped remedy these vulnerabilities. Cisco has patched the issues in recent versions and urges users to update their systems to prevent potential exploits. No instances of malicious exploitation have been reported, but users are strongly advised to remain vigilant and maintain system updates.

Microsoft has introduced a PowerShell script to update bootable Windows media, ensuring it aligns with new UEFI security certificates. The update is in response to threats posed by the BlackLotus UEFI bootkit, which can bypass Secure Boot, gaining high-level system access and disabling critical security features. The PowerShell script aids in the adoption of the "Windows UEFI CA 2023" certificate to mitigate vulnerabilities utilized by BlackLotus. Security updates addressing a Secure Boot bypass, identified as CVE-2023-24932, have been issued but are rolled out gradually to avoid boot issues. The staged rollout allows Windows administrators to trial the updates, ensuring compatibility before company-wide enforcement by the end of 2026. The updates revoke older boot managers signed with the "Windows Production CA 2011" certificate, preventing them from loading and reducing risk. Microsoft emphasizes the necessity of updating recovery or installation media in parallel with systems upgrades to avoid boot failures during transitions. Administrators are encouraged to download and use the provided script after installing the Windows ADK to facilitate secure transitions and testing.