Daily Brief

AWS S3 bucket namesquatting involves exploiting predictable names, allowing bad actors to preemptively register or hijack buckets. This vulnerability can lead to traffic redirection, denial-of-service attacks, or worse, manipulation of cloud resources and unauthorized admin account creation. Instances of naming squatting surge with the release of new AWS regions and utilizing predictable patterns with tools like AWS Cloud Deployment Kit. The article highlights the significance of customizing S3 bucket names and securing them against public access to prevent unauthorized use. Varonis offers solutions to secure AWS environments by automating security processes, classifying sensitive data, and mitigating risks from misconfigurations. Varonis' tools and services have helped organizations, particularly in the energy sector, secure critical data and comply with international security standards. The piece underscores the urgency for AWS users to vigilantly manage S3 bucket naming and access policies to protect against potential security breaches.

Linwei Ding, a former Google software engineer, faces additional charges including economic espionage and theft of Google’s trade secrets. Accused of stealing over a thousand files related to Google's AI technology between 2022 and 2023 and transferring them to Chinese companies. Allegedly used a method involving Apple Notes and PDFs to circumvent data loss prevention systems at Google. After starting the alleged theft, Ding received a CTO job offer from Beijing Rongshu Lianzhi Technology and later founded Shanghai Zhisuan Technology as CEO. Allegations suggest Ding's Chinese startup aimed to replicate and enhance Google’s technology to meet Chinese national standards. Google detected suspicious activity in December 2023, leading to the revocation of Ding's access and eventual seizure of related devices by the FBI. Faces up to fifteen years in prison and a $5 million fine per count of economic espionage if found guilty.

Proofpoint identified that cybercriminals are using legitimate HTTP clients like Axios and Node Fetch for Account Takeover (ATO) attacks on Microsoft 365 environments. These tools, sourced from public repositories, enable Adversary-in-the-Middle (AitM) and brute force attacks, significantly increasing successful ATO incidents. Research shows a worrying trend where 78% of Microsoft 365 tenants experienced at least one ATO attempt by late last year, with these attacks peaking in May 2024 leveraging millions of compromised IPs. The Axios campaigns specifically target high-value individuals across various sectors including transportation and finance, achieving a success rate impacting over half of the targeted organizations between June and November 2024. Additionally, a large-scale password spraying attack was detected, involving more than 13 million login attempts since June 9, 2024, using clients like Node Fetch and Go Resty. Despite the high volume of password spraying attempts, the success rate remained low, affecting only 2% of targeted entities, primarily impacting user accounts in the education sector. Cybersecurity analysts emphasize the evolution of threat actors' tools, noting that HTTP client tools offer distinct advantages that increase attack efficiency and suggest an ongoing trend of attackers adapting new technologies to evade detection. Proofpoint warns of a continuous shift in tactics among cybercriminals, reflecting a broader pattern of evolution aimed at enhancing attack effectiveness and minimizing exposure.

Silent Lynx is an undocumented group believed to originate from Kazakhstan, engaging in targeted cyberattacks across Kyrgyzstan and Turkmenistan. These attacks primarily affect embassies, legal professionals, state banks, and economic think tanks, suggesting espionage motives. Attack vectors include spear-phishing emails with RAR archives that deploy multi-stage malware using C++, PowerShell, and Golang. The malware facilitates remote access, command execution, and data exfiltration, utilizing technologies like Telegram bots for control and communication. Detected incidents involve the deployment of ISO files containing malicious binaries and distraction documents, alongside executables establishing reverse shells. There are tactical similarities between Silent Lynx and YoroTrooper, indicating possible shared methods or collaboration targeting the Commonwealth of Independent States. Seqrite Labs' analysis highlights the advanced nature of these campaigns, emphasizing the strategic geopolitical interest of the attackers in Central Asian and SPECA nations.

Veeam has patched a critical vulnerability in its Backup software that could allow arbitrary code execution. The security flaw, identified as CVE-2025-23114, has a high severity rating of 9.0 on the CVSS scale. The vulnerability specifically exists in the Veeam Updater component, enabling Man-in-the-Middle attacks. Attackers could potentially execute arbitrary code with root-level permissions on the affected server. The issue affects multiple Veeam products but only specific deployments involving major cloud services and virtual environments. Updated software versions that address this vulnerability have been released for affected systems. Systems not interacting with cloud services like AWS, Google Cloud, or Microsoft Azure, among others, are not impacted by this flaw.

Organizations are increasing the frequency of their IT security vulnerability assessments due to elevated cyber risks. The shift from biannual to more frequent assessments highlights the need for continuous monitoring and adaptation to emerging threats. Lack of proper user training is recognized as a major source of cybersecurity issues, with poor user practices accounting for many security breaches. Interest in cybersecurity investment, particularly in vulnerability assessments, has significantly risen, doubling in the past year. Investments in cloud security, automated pentesting, and network security are also increasing, addressing the fast-evolving cybersecurity challenges. Proactive measures like vulnerability assessments are proving effective in reducing the costs associated with cybersecurity incidents. VulScan offers intuitive tools for vulnerability management, prioritizing and addressing security gaps efficiently.

A new malware campaign uses Dropbox and Cloudflare services to distribute the AsyncRAT remote access trojan via email phishing. The multi-stage infection starts with a phishing email containing a Dropbox URL, which downloads a ZIP archive with a deceptive PDF and a malicious LNK file. The LNK file triggers PowerShell to execute JavaScript, leading to a batch script that downloads another ZIP containing Python payloads. These payloads are capable of executing multiple malware families, including AsyncRAT, Venom RAT, and XWorm, while remaining hidden. The campaign exploits legitimate infrastructure to trick users into thinking they are interacting with trustworthy sources. This approach reflects broader phishing trends where services like Microsoft, Google, and Zendesk are manipulated to harvest user credentials or conduct investment scams. The observed tactics indicate an ongoing increase in sophisticated phishing operations utilizing both social engineering and advanced technical methods.

CISA has updated its KEV catalog with four actively exploited security flaws. These vulnerabilities have been previously addressed by the vendors. There are no detailed public reports on the specific real-world use of these vulnerabilities. Federal agencies are required to implement fixes by February 25, 2025, to avoid potential risks. The directive aims to enhance the cybersecurity posture of Federal Civilian Executive Branch agencies. CISA's notice underscores the ongoing threat landscape and the importance of timely updates in cybersecurity defenses.

Google researchers have discovered a vulnerability allowing them to load unofficial microcode into AMD processors which can alter the chip’s operation, such as making the random number generator output a fixed value. The exploit involves unauthorized microcode that bypasses AMD’s cryptographic checks, seeming to be officially signed by AMD, enabling potential malicious use. This vulnerability affects all AMD Zen-based chips, including the latest Ryzen and Epyc series, and has implications for encrypted virtualization and root-of-trust security features. The proof-of-concept demonstrated involves making the RDRAND instruction always output the value 4, which could compromise data protection and security processes relying on randomness. AMD has acknowledged the vulnerability, tracked as CVE-2024-56161 with a CVSS score of 7.2, and is rolling out fixes through official microcode updates. Remediation efforts require host admin level access for exploitation, emphasizing the severity and sensitivity of the access needed to utilize this vulnerability. Updates have started for data center-class and embedded processors, with further remedies for personal computing chips anticipated. Additional details and tools from Google expected to be released on March 5, 2025, to aid in securing affected systems from potential exploits of this vulnerability.

Zyxel issued a security advisory indicating that its CPE Series devices, which are end-of-life (EoL), are currently being exploited due to vulnerabilities. The company will not release patches for these vulnerabilities and recommends that users upgrade to newer models. VulnCheck, the firm that discovered these exploits, reported that attackers are targeting these devices to gain network access. Over 1,500 Zyxel CPE Series devices are still active and visible on the internet, posing a significant security risk. VulnCheck detailed the exploitation techniques for the vulnerabilities, particularly affecting models such as VMG4325-B10A. Current exploitations could potentially lead to unauthorized access and further network compromise. Zyxel acknowledges that the affected router models reached EoL years ago and stresses the importance of upgrading to secure network infrastructure. Additionally, Zyxel disclosed a third security flaw, a post-authentication command injection vulnerability, further highlighting the devices' security weaknesses.

Five Eyes cybersecurity agencies from the UK, Australia, Canada, New Zealand, and the U.S. have issued joint security guidance for manufacturers of network edge devices. The guidance emphasizes improving forensic visibility on devices like firewalls, routers, VPN gateways, and IoT devices to aid in detecting attacks and investigating breaches. Edge devices are vulnerable due to lack of Endpoint Detection and Response (EDR) support, infrequent firmware updates, weak authentication, inherent security flaws, and limited logging capabilities. These vulnerabilities make edge devices prime targets for state-sponsored and financially motivated attackers, facilitating unauthorized access to internal networks. CISA and NCSC urge device manufacturers to integrate robust, secure logging and forensic features by default to enhance network defenders' ability to identify and address malicious activities. The continuous targeting of edge networking devices has prompted CISA to issue "Secure by Design" alerts and specific calls for action against known vulnerabilities exploited by threat actors like the Velvet Ant and Volt Typhoon. Network defenders are advised to follow the new guidelines when selecting physical and virtual network devices for better protection against foreign intrusion and cyber threats.

Chinese cyber-espionage group Evasive Panda has implemented a new SSH backdoor, "ELF/Sshdinjector.A!tr", in network appliance hacks since mid-November 2024. The malware suite targets the SSH daemon, injecting malicious SSH libraries for persistent access and covert operations, including system reconnaissance and credential theft. Fortinet's Fortiguard researchers have identified multiple components within the malware that ensure persistence and allow extensive control and data exfiltration from compromised devices. Researchers utilized AI-assisted tools for reverse-engineering the malware, encountering challenges such as hallucination, extrapolation, and omissions, yet noting a significant potential in these technologies. Fortinet has already updated its FortiGuard AntiVirus service to protect customers against these threats, with detections for ELF/Sshdinjector.A!tr and Linux/Agent.ACQ!tr. The threat actors have been active since 2012, previously engaging in other significant cyber-espionage activities such as deploying macOS backdoors and executing supply chain attacks via ISPs in Asia. Technical details on initial breach methods of network appliances remain undisclosed; however, the malware checks for root privileges and existing infections before executing its payload.

A security researcher discovered a backdoor in a Go language package mimicking the legitimate BoltDB module, used by over 8,000 packages and large entities like Shopify and Heroku. The malicious package, appearing similar to the official one through typosquatting, enabled remote code execution and remained undetected for three years. Only two imports of the counterfeit package were recorded, used by a small cryptocurrency project, indicating limited impact. This incident exposes a critical flaw in Go's package system, particularly the indefinite caching feature of Go Module Mirror that allows for persistent malicious versions. The incident emphasizes the need for heightened awareness and preventive measures in software supply chain security, suggesting that package integrity checks and dependency analysis are crucial. The Go team has been notified about the malicious package for removal, though there has been no response at the time of reporting. This event underscores the balance between the benefits of immutable modules in Go's ecosystem and the potential abuse vectors they present.

Netgear has issued patches for two critical vulnerabilities in various WiFi router models. The security flaws affect WiFi 6 access points and Nighthawk Pro Gaming routers. Threat actors could exploit these vulnerabilities for remote code execution and authentication bypass without user interaction. Users are urged to update their router firmware immediately to mitigate risks. A list of affected models and the necessary firmware updates has been provided by Netgear. Netgear has emphasized the importance of completing the firmware update to prevent potential exploitations. Previous advisories in recent months have addressed other vulnerabilities within Netgear routers. Despite outreach, a Netgear spokesperson has not provided further comments on the details of the vulnerabilities.

Grubhub experienced a security breach via a third-party service provider, compromising user data including contact information and partial payment details. The breach involved unauthorized access to data such as names, email addresses, phone numbers, and the last four digits of payment cards. Grubhub has not specified the number of affected users but disclosed that the incident included data from students using its Campus Dining service. The company has since revoked the compromised third-party account's access and engaged forensic experts to contain and investigate the breach. Grubhub advised all users to update their passwords and has already rotated hashed passwords used in certain legacy systems. The incident has been reportedly contained, with Grubhub strengthening security measures and adding anomaly detection to prevent future breaches. No sensitive personal information like Social Security numbers or full payment details were reportedly compromised. Grubhub reaffirms its commitment to protecting user data and enhancing trust among customers, merchants, and delivery drivers.