Daily Brief

Swedish authorities seized the Malta-flagged cargo ship Vezhen following suspected sabotage of an undersea cable between Sweden and Latvia. This incident prompted heightened security and increased NATO patrols in the Baltic Sea region. The damaged cable, owned by the Latvian State Radio and Television Center, connects Ventspils in Latvia with Gotland Island in Sweden. Recent months have seen multiple disruptions to undersea cables in the region, raising concerns over potential deliberate acts. Latvian Prime Minister Evika Silina reported significant, likely external, damages to the cable infrastructure. NATO is enhancing its capabilities with submarine drones to monitor undersea infrastructure more effectively, with deployment expected by June 2025. Recent events are speculated to involve Russia's "shadow fleet," which utilizes various deceptive practices, posing risks to maritime safety and security. The UK and NATO are taking steps to closely monitor and respond to suspicious maritime activities in their respective waters.

A 15-year-old hacker developed a tool leveraging Cloudflare's CDN to approximate user locations on apps like Signal and Discord without direct interactions. The exploit utilized a bug in Cloudflare Workers to determine which datacenter cached user-requested resources, revealing approximate locations. Despite a fix by Cloudflare, potential privacy vulnerabilities persist in CDN usage, per the hacker's findings. Tornado Cash, previously sanctioned by the US for aiding North Korean hackers, has seen those sanctions overturned by a Texas court. Security flaws in Subaru’s STARLINK allowed undue access to vehicle tracking and customer PII but were quickly rectified. Stark Aerospace, a US defense contractor, suffered a ransomware attack by INC, risking exposure of sensitive military data. A significant data breach linked to the MOVEit incident affected American National Insurance Company, resulting in extensive customer data leaks. The incidents underscore the continuous and varying threats in cybersecurity, impacting privacy, industry integrity, and national security.

A former IT contractor, recently dismissed, unauthorizedly entered the British Museum and disabled several IT systems. The incident forced the museum to temporarily close select galleries and exhibitions, impacting visitor services and operations. The Metropolitan Police confirmed the suspect's arrest at the scene for burglary and criminal damage. Efforts are underway to fully restore the affected systems, with the museum offering refunds to ticket holders for closed exhibitions. The museum and the police have not provided details on how the former contractor gained access or the specifics of the damages caused. The British Museum is one of the UK's top visitor attractions, housing significant artifacts like the Rosetta Stone and Parthenon Marbles. Police investigations are ongoing, with the suspect released on bail pending further inquiries.

UnitedHealth Group revealed a data breach impacting 190 million individuals, a significant increase from an earlier estimate of 100 million. The data breach occurred during a ransomware attack on its subsidiary, Change Healthcare, in February 2024, marking the largest healthcare data breach in US history. Compromised data included health insurance details, medical records, billing, payment information, and sensitive personal data such as Social Security Numbers. The data breach was orchestrated by the BlackCat ransomware gang using compromised credentials to access Change Healthcare’s systems. UnitedHealth initially paid a $22 million ransom to obtain a decryption key and prevent data leakage, only for the attackers to demand additional payments later. The financial impact of the ransomware attack on UnitedHealth is estimated to reach $2.45 billion by September 2024, significantly higher than initial loss estimates. Despite the magnitude of the breach, there have been no reports of the stolen data being misused as of the latest updates.

Ransomware actors are targeting VMware ESXi hypervisors, using SSH tunneling to maintain persistent, stealth access. VMware ESXi plays a crucial role by hosting multiple virtual machines on a single server, making them attractive targets for cyberattacks. Many organizations lack proper monitoring of their ESXi SSH activities, allowing attackers to operate undetected. Attackers are exploiting known vulnerabilities or compromised administrator credentials to gain access to these systems. Once access is secured, setting up SSH tunneling for control and movement within the network is straightforward and hard to detect. Sygnia's report indicates the resilience of ESXi appliances provides a semi-persistent backdoor for attackers. ESXi's log distribution across multiple files creates visibility gaps, hindering evidence collection and threat detection. Centralizing log management and integrating with SIEM solutions is recommended for better anomaly detection and system security.

TalkTalk is investigating a third-party supplier data breach following claims of customer data being sold on a hacking forum. The company emphasized that no billing or financial details were compromised as these were not stored on the affected system. The alleged breach involved the Ascendon SaaS platform, historically utilized by TalkTalk, rather than a direct breach of TalkTalk's systems. A user named "b0nd" claimed the data breach occurred in January 2025, affecting nearly 18.9 million individuals; however, TalkTalk contests both the incident and the number of potential victims. The exposed data purportedly includes names, emails, IP addresses, and phone numbers of current and former subscribers. TalkTalk has engaged its Security Incident Response team and has implemented immediate protective measures. In a previous related incident in 2015, TalkTalk suffered a significant breach impacting over 150,000 customers, resulting in a hefty fine. Doubts remain over the authenticity of the claim as TalkTalk's subscribers do not align with the figures purported in the breach.

New York State secured a $2 million settlement from PayPal due to non-compliance with state cybersecurity regulations following a 2022 data breach. The breach was a result of credential stuffing attacks that occurred between December 6 and December 8, 2022, affecting 35,000 accounts. Exposed customer data included full names, dates of birth, addresses, social security numbers, and tax identification numbers. The DFS highlighted a significant lapse involved improper handling of Form 1099-K, exacerbated by insufficient training and faulty procedural implementations. Lack of multi-factor authentication and adequate access controls such as CAPTCHA or rate limiting facilitated the breach. Despite post-breach corrective measures like data masking and enforcing multi-factor authentication for U.S. accounts, DFS deemed these actions as insufficiently timely. The settlement agreement also comprises a directive for PayPal to make the payment within 10 days with potential further actions if new violations are uncovered.

Juniper routers worldwide have been infected with a stealthy backdoor variant of cd00r malware, named J-Magic, targeting key industries such as semiconductor, energy, and manufacturing. This backdoor operates by listening for specific network "magic packets" that trigger remote command-line access to the infected device. The malware has been installed predominantly on routers configured as VPN gateways and is memory-resident, evading basic detection methods. The infiltration method into Junos OS-equipped routers remains unclear, with half of the affected devices managing VPN traffic. Black Lotus Labs, who discovered the issue, detailed that the backdoor establishes a secure connection after verifying the sender via an RSA-encrypted challenge-response mechanism. Victims of this targeted attack are located across multiple countries including the US, UK, Norway, Russia, and Brazil, encompassing various critical industries. Black Lotus Labs has suggested reviewing their published indicators of compromise to identify potential breaches and mitigate risk.

TalkTalk, a UK broadband and TV provider, is currently investigating allegations of customer data being offered on cybercrime forums by an individual known as "b0nd." The alleged data breach reportedly involves data from nearly 19 million past and present TalkTalk customers, although TalkTalk contests these figures. The data in question supposedly originates from an external data platform, managed by a third-party supplier, which does not include billing or any sensitive financial information. TalkTalk's investigations have yet to confirm the authenticity or extent of the breach and emphasize that the number of affected customers is likely exaggerated. The external platform implicated handles only a subset of TalkTalk’s current 2.4 million customers. Immediate containment measures were implemented, and TalkTalk's security incident response team is collaborating with the third-party supplier to resolve the issue. This incident is distinct from the 2015 breach involving 157,000 customers, which resulted in a substantial fine for TalkTalk.

Alexander Beckman and Valerie Lau Beckman face a 25-count federal indictment including wire and securities fraud, and identity theft. Allegations include fabricating revenue and inflating bank balances to secure over $60 million from investors. The couple is accused of impersonating individuals from reputable organizations to create false audit reports and financial statements. It is alleged that they misappropriated $4 million of investor funds for personal expenses, such as buying homes and financing a wedding. Valerie Lau implicated in the obstruction of justice by deleting files during a grand jury investigation. Potential consequences for the accused include lengthy prison sentences, with some charges carrying up to 20 years. Following Beckman's resignation and a financial review, ON Platform halted operations and laid off most of its staff. The future of ON Platform remains uncertain, with inactive social media and unresponsive company contacts.

Zyxel has issued a warning about a problematic security signature update impacting USG FLEX or ATP Series firewalls. The faulty update, distributed between January 24 and 25, has triggered boot loops, ZySH daemon failures, and login access issues in affected devices. This problem does not relate to any CVE or other security vulnerability, but rather to an Application Signature Update malfunction. Only firewalls on active security licenses under specific firmware versions are affected; the Nebula platform and USG FLEX H series remain unaffected. Resolution requires physical onsite intervention using a console cable for connecting directly to the firewall. Zyxel advises administrators to back up configurations, apply a special firmware update, and restore configurations through the web GUI. Detailed recovery steps are provided in a Zyxel advisory, underscoring the necessity for technicians to review these procedures prior to attempting repairs.

Security researchers identified a significant vulnerability in Subaru's Starlink service that could enable hackers to take over accounts and control vehicles in the US, Canada, and Japan. The flaw was initially discovered by researchers Sam Curry and Shubham Shah on November 20, 2024. Attackers could access personal details such as a victim's last name, ZIP code, email, or phone number and even track, control, or hijack Subaru vehicles. A demonstration video showed that obtaining over a year's worth of location data for a Subaru could be accomplished in just ten seconds. The vulnerability was found in the "resetPassword.json" endpoint within Subaru Starlink’s admin portal, allowing account takeover without a confirmation token. Although account takeover required bypassing two-factor authentication, Curry found it could be circumvented by modifying the client-side UI code. Subaru responded quickly, patching the flaw within 24 hours after it was reported by the researchers, and it was never exploited by malicious actors. This incident follows a similar security issue discovered by the same group in Kia's dealer portal, which also involved using a vehicle’s license plate to facilitate unauthorized access.

A North Korean threat group, identified as Andariel, has successfully exploited Windows systems using RID hijacking, enabling low-privilege accounts to gain admin rights covertly. Andariel begins by gaining SYSTEM access through vulnerabilities, then creates a hidden low-privilege user account, making modifications using tools like PsExec and JuicyPotato. RID hijacking involves modifying the Security Account Manager (SAM) registry to elevate the hidden account's privileges to administrator level discreetly. Despite SYSTEM access allowing creation of admin accounts, Andariel opts for RID hijacking for its stealth and difficulty of detection, adding the account to critical groups like Remote Desktop Users and Administrators. Post-attack, the group covers its tracks by exporting and deleting modified registry settings, then restoring them from backups to avoid detection in system logs. To defend against such attacks, experts recommend using Local Security Authority (LSA) checks, restricting execution of certain system tools, disabling low-security accounts, and securing all user accounts with multi-factor authentication. RID hijacking as a technique was first publicly discussed in 2018, underscoring its continued relevance and threat in cybersecurity circles.

Security researchers at CloudSEK uncovered a trojanized XWorm RAT builder that infected 18,459 devices globally, targeting script kiddies. The malware propagated through GitHub, Telegram, YouTube, and other platforms, feigning to be a free RAT builder. Infected devices were manipulated to steal data and execute commands from a Telegram-based command and control server. CloudSEK identified that around 11% of the infected devices had data exfiltrated, mainly screenshots and browser information. The malware was designed to evade detection by ceasing operation if run in a virtualized environment and ensuring persistence through registry modifications. A kill switch was used by researchers to issue a mass uninstall command, successfully removing the threat from numerous infected devices; yet, some devices remain compromised due to various limitations. The incident highlights the risks of trusting and using unsigned software sourced from unreliable parties and underscores the unpredictable nature of cybercriminal activities.

Microsoft reports outdated Exchange servers cannot receive new emergency security mitigations due to a deprecated certificate. On-premises Exchange servers without recent updates are exposed to high-risk security flaws actively exploited in cyberattacks. Emergency Mitigation Service (EEMS), launched in 2021, automatically protects servers by applying temporary security fixes against known threats. EEMS is unable to retrieve new mitigations for Exchange versions older than March 2023, resulting in service errors. Microsoft urges updating servers to enable continuous deployment of emergency mitigations and maintain email security. Previous cyber-attacks used exploits for which Exchange had no patches, prompting the initial need for EEMS. Regularly running the Exchange Server Health Checker helps identify necessary updates and security actions.