Daily Brief

Mizuno USA experienced a data breach where hackers accessed and stole files from its network between August and October 2024. The breach affected an undisclosed number of individuals, exposing sensitive personal information such as names, Social Security numbers, financial details, driver's license and passport numbers. Mizuno detected suspicious activity in its network on November 6, 2024, leading to the discovery of the breach. Following an investigation, it was found that this was part of a wider incident claimed by the BianLian ransomware group, which had previously targeted Mizuno in February 2022. The company completed a detailed review of the implicated files by December 18, 2024, and has begun notifying impacted individuals, offering them free credit monitoring and identity protection services. Mizuno advises those affected to monitor their accounts and credit reports for signs of unauthorized activity and potential identity theft. BianLian ransomware group has notably switched to extortion-only attacks since January 2023 and continues to target a broad spectrum of victims globally.

Many cybersecurity professionals struggle with translating complex technical details into simple, impactful messages for executive audiences. Effective risk communication requires empathy and clarity, making the information relatable and straightforward to grasp. Using metaphors and visuals, like in the movie "The Big Short," helps make abstract concepts understandable by comparing them to everyday situations. Quantifying risks with clear data and continuous testing insights can help make the business impacts of threats tangible, fostering quicker executive decision-making. Always aligning cybersecurity risks with business goals, such as growth, revenue, and customer trust, ensures relevance and can aid in securing necessary resources. Personal anecdotes emphasize the importance of speaking in terms executives understand, focusing on outcomes rather than technical specifics. Successful communication not only informs but also builds trust, aligns teams, and showcases cybersecurity as a crucial business enabler.

Community Health Center (CHC) in Connecticut reported a data breach affecting over 1 million patients, compromising personal and health information. The breach, identified on January 2, 2025, occurred after unauthorized access was gained to CHC's network around mid-October 2024. CHC asserts that the breach did not involve encryption of their systems or disruption to their healthcare services. Investigations attribute the breach to a "skilled criminal hacker" although no data was deleted or locked by the attacker. CHC believes they quickly curtailed the hacker’s access within hours and assesses no ongoing threat to their systems. The incident forms part of a broader trend where cybercriminals, like the BianLian ransomware gang, shift from encryption to data theft and extortion. U.S. healthcare breaches are escalating, prompting potential HIPAA updates by the Department of Health and Human Services to enhance data security protocols.

The CISA and FDA have issued warnings about a critical backdoor in Contec CMS8000 and Epsimed MN-120 patient monitors. CVE-2025-0626, with a high-risk score of 7.7, involves unauthorized remote access via a hard-coded IP, posing substantial security and privacy risks. Devices could download and execute unverified files remotely, facilitated through an embedded reverse backdoor in the firmware. Additional vulnerabilities could enable access to sensitive patient data and create potential for an adversary-in-the-middle attack scenario. No known cybersecurity incidents related to the vulnerability have been reported to date; however, the threat remains due to unpatched issues. CISA advises healthcare providers to disconnect the implicated monitors, which are also marketed under another brand name, to prevent potential exploitation. Healthcare facilities are urged to monitor for discrepancies in displayed patient data, which might indicate compromise or malfunction of the device.

Law enforcement in the U.S. and the Netherlands seized 39 domains used by the HeartSender phishing gang based in Pakistan. HeartSender, involved in cybercrime for over a decade, supplied tools like phishing kits and malware to organized crime groups. HeartSender's operations, linked to $3 million in losses in the U.S. alone, involved tools for schemes like business email compromises and credential theft. U.S. and Dutch authorities have not yet announced arrests or charges under the ongoing 'Operation Heart Blocker.' Additional actions under 'Operation Talent' led to the closure of major hacking forums, Cracked and Nulled, with two arrests in Spain. Seizures included 17 servers and several domains, dismantling networks that collectively affected millions of users and generated significant revenues from ads for cybercrime tools. The Netherlands police offer an online tool to check if personal data was compromised in the seized HeartSender datasets.

AI is increasingly being used to conduct social engineering attacks by exploiting human emotions like trust and fear. Notable incidents include a deepfake audio that potentially influenced election results in Slovakia by mimicking a political candidate. A finance worker was deceived into transferring $25 million during a fake video call with deepfaked representations of company executives. A mother received a ransom demand for her daughter through a call, leveraging a cloned voice to simulate a kidnapping scenario. Attackers utilize AI-powered chatbots to mimic legitimate entities like Facebook, deceiving users to hand over login credentials. A deepfake video of President Zelensky allegedly urged Ukrainians to surrender, demonstrating the use of AI in misinformation campaigns. These incidents underline the need for improved employee education on recognizing and managing AI-driven social engineering attacks.

Italy's data protection authority, Garante, has prohibited the operation of DeepSeek, a Chinese AI firm, within its borders due to inadequate data handling disclosures. The decision was triggered by DeepSeek’s insufficient responses regarding the specifics of personal data collection, its sources, purposes, legal bases, and data storage locations. DeepSeek contends that it does not operate in Italy and that European legislation is not applicable to them, a stance rejected by the Italian authorities. The ban follows a similar temporary restriction placed on OpenAI's ChatGPT in 2023, which was lifted after the company addressed Italy's data privacy concerns. DeepSeek has been popular, evidenced by high download rates, but has faced significant scrutiny over its privacy policies and susceptibility to large-scale malicious attacks. Additional concerns have arisen around DeepSeek’s AI models, which have shown vulnerabilities to various jailbreak techniques allowing the generation of harmful or illicit content. Investigations into DeepSeek’s models have revealed potential ethical and legal violations, including the unauthorized use of OpenAI's data, raising issues of data sourcing and model originality.

Google blocked 2.36 million Android apps violating policies and banned 158,000 developer accounts in 2024. The company improved security by denying 1.3 million apps access to unnecessary user data. Google Play Protect flagged 13 million new malicious apps not listed on the official app store. Over 91% of app installs on the Google Play Store now use the latest Android 13 protections. Implementation of the Play Integrity API reduced usage of apps from unverified sources by 80%. New "Verified" badge introduced for VPN apps that pass a Mobile Application Security Assessment. The Tria Stealer malware, targeting Android users in Malaysia and Brunei, indicates ongoing threats. Google’s efforts have prevented millions of unsafe app installations, particularly in emerging markets.

Ransomware attacks hit a new high in 2024 with 5,263 incidents, marking a 15% increase from the previous year despite substantial law enforcement actions. Critical national infrastructure sectors, particularly industrials, were the primary targets due to their existing vulnerabilities to such attacks. Factors contributing to the rise in ransomware activities include exploitable software products, compromised user credentials, geopolitical tensions, and the proliferation of ransomware-as-a-service (RaaS) platforms. Notorious ransomware operators like LockBit and affiliates remained active and adaptive, despite significant takedowns and sanctions against key figures. Law enforcement efforts resembled a "whack-a-mole" game, with new ransomware groups forming even as existing ones were taken down. The emergence of groups like RansomHub illustrates the dynamic and resilient nature of the ransomware ecosystem. Ransomware attacks have also become more profitable, driven by increasing cryptocurrency values, enhancing the incentives for cybercriminals. The article predicts a continuation and possible increase in ransomware attacks into 2025, highlighting the ongoing challenge for global cybersecurity efforts.

Broadcom has issued security updates for VMware Aria Operations and Aria Operations for Logs to address five vulnerabilities. These security flaws could potentially allow attackers to gain elevated access or access sensitive information. The vulnerabilities affect version 8.x of the VMware Aria software suite. The security flaws were identified and reported by security researchers from Michelin CERT and Abicom. This team of researchers has previously identified other critical vulnerabilities in the same VMware products. There has been no evidence reported of these vulnerabilities being exploited in the wild. The update to mitigate these issues is included in VMware Aria Operations and Aria Operations for Logs version 8.18.3. The announcement follows a recent advisory regarding a high-severity flaw in VMware Avi Load Balancer, which also posed significant security risks.

Google's Threat Intelligence Group identified misuse of its Gemini AI by government agents from Iran, China, Russia, and North Korea. Iranian operatives were the most active, using the AI to enhance phishing efforts and Android security research, constituting 75 percent of all suspicious activity. The AI was also employed by Chinese spies for researching U.S. institutions and by North Koreans to aid in job applications and military intel gathering. Russian use of the AI was noted as lower, possibly due to local AI usage or to minimize surveillance exposure. Google affirmed that its AI's built-in safety measures effectively prevented the creation of malwares and leakage of sensitive information. Despite attempts, the AI resisted queries for generating harmful outputs and direct abuses of Google’s services remain blocked. Google's DeepMind division is actively developing new defense mechanisms against potential AI system abuses.

The US Cybersecurity and Infrastructure Security Agency (CISA) detected a backdoor in Contec CMS8000 healthcare patient monitors. This vulnerability allows unauthorized remote access, sending patient data to a hard-coded IP address linked to a Chinese university. Patient data, including personal identifiers, is transmitted using an unexpected protocol (LPD), typically used for network printing. CISA's investigations reveal that this backdoor involves critical logs missing, which prevents detection of unauthorized activities. Several firmware updates provided by Contec did not resolve the issue; they only temporarily disabled network features critical to the backdoor's functionality. No effective patch available; CISA advises healthcare facilities to disconnect affected devices from networks and monitor for any signs of compromise. The backdoor enables file copying and execution, potentially giving remote attackers full control over the affected devices.

Veeam is moving away from traditional backup solutions, focusing instead on 'data resilience' and 'data portability' in response to evolving threats such as cyberattacks and commercial changes. Data resilience now entails preparation for cyberthreats, which are considered more common and disruptive than natural disasters, altering the backup and restoration strategies. Amidst licensing and support changes by Broadcom after acquiring VMware, Veeam emphasizes its broad, cross-platform support to allow flexibility for enterprises facing potential migrations away from VMware. Veeam supports a range of platforms, including various hypervisors and cloud environments, ensuring that enterprises can manage their data backups across multiple platforms with ease. The company has developed deep data resilience strategies, integrating advanced threat detection, and offering immutability features to protect against ransomware by making backups unchangeable during specified periods. Veeam emphasizes the importance of testing backup integrity through its SureBackup feature, which ensures the restorability of virtual machines from backup data. Compliance and reporting are integral parts of Veeam’s offering, with tools providing automation for backup retention management and constant compliance monitoring. Veeam's strategic focus acknowledges data resilience as a necessary approach for modern enterprises, linking good risk management and technical capabilities to protect and manage data across diverse environments.

Broadcom has patched five high-severity vulnerabilities in VMware's Cloud Foundation, affecting IT management and log analysis tools. The vulnerabilities could lead to unauthorized disclosure of sensitive credentials and involve both Aria Operations and Aria Operations for Logs. No current exploits of these vulnerabilities in the wild have been reported, though the possibility remains if access is obtained through compromised accounts. The most critical bug, rated 8.5, allows those with limited admin rights to potentially access credential information in VMware Aria Operations for Logs. Other vulnerabilities include stored XSS flaws that permit the injection and execution of malicious scripts, with varying levels of access needed to exploit these issues. A privilege escalation bug was also identified, allowing unauthorized API actions without full admin rights. VMware users are urged to update to version v8.18.3 to mitigate these issues, with detailed instructions available in VMware's KB92148 document. Given VMware's significant role in IT infrastructures globally, swift patching is advised to prevent potential exploitation.

Google blocked 2.36 million risky Android app submissions in 2024, showing a significant increase from previous years due to improved AI-assisted review processes. The tech giant banned 158,000 developer accounts for attempting to circulate malware and spyware through the Play Store. Google Play Protect was upgraded to bolster real-time protection and scanned over 200 billion apps daily, identifying 13 million new malware threats. The enhancements included the prevention of 1.3 million apps from accessing excessive user permissions and the addition of 80 trusted SDKs to the Google Play SDK index. The Play Integrity API contributed to an 80% reduction in app abuse from untrusted sources, with security features in Android 13 aiding in 91% of app installs. Google expanded its untrusted APK installation blocking system to multiple countries, successfully thwarting 36 million malicious installation attempts. Despite these advances, the ongoing sophistication of cyberthreats requires users to remain cautious and proactive in managing app permissions and security settings.