Daily Brief

PlushDaemon, a previously unknown APT group linked to China, executed a targeted supply chain attack on a South Korean VPN provider, exploiting the provider's software installer. ESET discovered the attack involving the replacement of a legitimate VPN installer with a malicious version that deployed a backdoor named SlowStepper, a substantial toolkit featuring over 30 components. SlowStepper, programmed in C++, Python, and Go, enables extended surveillance capabilities, including data gathering and recording audio and video through various Python and Go modules. The malware infiltrated systems through compromised software downloaded from the VPN provider's website and achieved persistence, allowing continuous access to infected systems. Victims of the attack include networks associated with a semiconductor company and a software development company in South Korea, with telemetry data indicating earlier victims in Japan and China. The malware leverages a multistage C&C protocol utilizing DNS queries to manage communication with its command servers, enabling a range of commands for detailed system exploitation and self-deletion. The latest observations suggest the APT has been actively refining and deploying its tools since 2019, with recent versions indicating enhancements for reduced detection and increased functionality.

Oracle issued a Critical Patch Update in January 2025, addressing 318 security vulnerabilities across its various products. The most critical flaw, CVE-2025-21556 in Oracle Agile Product Lifecycle Management (PLM) Framework, has a CVSS score of 9.9 and permits attackers with limited privileges and HTTP network access to take control of affected systems. Oracle has noted active attack attempts on another significant vulnerability within the same PLM Framework, CVE-2024-21287. The patch includes fixes for multiple critical vulnerabilities, each with CVSS scores nearing 9.8, indicating their severity. Among the serious vulnerabilities patched was CVE-2025-21535 in Oracle WebLogic Server, susceptible to remote unauthorized exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the active exploitation of several vulnerabilities now patched, adding CVE-2020-2883 to its KEV catalog. Oracle’s Security Assurance VP, Eric Maurice, strongly advises customers to apply the updates urgently to mitigate potential security risks. The update also rectifies a critical Kerberos 5 issue in Oracle Communications Billing and Revenue Management, marked by CVE-2024-37371, which could allow attackers to manipulate memory via invalid message tokens.

Cloudflare reported blocking a record 5.6 Tbps DDoS attack, the largest to date, launched by a Mirai-variant botnet. The massive attack targeted an Eastern Asian ISP on October 29, 2024, using the UDP protocol and involved over 13,000 IoT devices. This attack surpassed the previous record of 3.8 Tbps reported by Cloudflare in the same month. The DDoS assault lasted just 80 seconds, with each of the sourced IP addresses contributing approximately 1 Gbps. Throughout 2024, Cloudflare blocked a total of 21.3 million DDoS attacks, marking a 53% increase from the previous year. Attacks exceeding 1 Tbps saw a significant increase of 1,885% quarter-over-quarter in 2024. During the fourth quarter of 2024 alone, Cloudflare mitigated as many as 6.9 million DDoS attacks. Cybersecurity firms note an increase in IoT-targeted attacks by Mirai botnet variants, exploiting security flaws and weak credentials.

PowerSchool, a California-based education software provider, experienced a significant network intrusion in December, impacting millions of student records globally. Unauthorized access to database tables exposed sensitive personal details of students from over 40 U.S. states and Canadian territories. Data compromised includes names, addresses, phone numbers, birth dates, health information, and guardian contact details. The intruder reportedly accessed records dating back to 1985 from the Toronto District School Board, the largest in Canada, affecting 240,000 students across 588 schools. PowerSchool claims the stolen data has been deleted and not shared, based on feedback from the perpetrators. Over 20 lawsuits have been filed against PowerSchool in the wake of this security breach, demonstrating the severity of the situation. PowerSchool assured stakeholders it was not a ransomware attack but a breach of network security, with ongoing monitoring of ransomware dark web sites for potential data leaks.

The Toronto District School Board confirmed a breach impacting records dating back to 1985, affecting about 240,000 students. PowerSchool, a cloud-based student information system, was intruded upon in December, jeopardizing data of over 60 million students mainly in North America. Sensitive data accessed includes names, genders, addresses, phone numbers, birthdates, and in some cases, medical information of students. Stacey Zucker of TDSB reported that the culprits confirmed the deletion of stolen data, but verification remains uncertain. The breach has impacted educational institutions across more than 40 U.S. states and the British territory of Bermuda. PowerSchool faces over 20 lawsuits in connection with the security breach, highlighting the legal ramifications of the data compromise.

Cloudflare successfully mitigated a record-breaking 5.6 Tbps DDoS attack aimed at an Eastern Asian ISP, originating from a Mirai-based botnet of 13,000 devices. The attack, which took place on October 29, lasted only 80 seconds and was automatically detected and neutralized without human intervention. This event surpassed the previous record attack of 3.8 Tbps that Cloudflare reported earlier in October 2024, highlighting a rising trend in the frequency and volume of DDoS attacks. Cloudflare's report indicates a significant increase in hyper-volumetric attacks, with attacks exceeding 1Tbps growing by 1,885% quarter-over-quarter and those over 100 million packets per second (pps) up by 175%. Despite the growth in large-scale attacks, 93% of network layer DDoS incidents and 87% of such events remain below 500 Mbps and 50,000 pps, respectively. The brief duration of most DDoS attacks, with over 70% ending in less than 10 minutes, underscores the importance of automated, always-on security solutions to handle these rapid incidents effectively. The report also notes an increase in ransom DDoS attacks, especially during peak usage times like holidays, with a 78% increase quarter-over-quarter and 25% growth year-over-year. The most targeted regions in the latest quarter were China, the Philippines, and Taiwan, primarily affecting the telecommunications and internet service sectors.

Hackers are using Google ads to direct users to a fake Homebrew website, deploying an infostealer malware targeting Mac and Linux users. The malware, identified as AmosStealer, steals credentials, browser data, and cryptocurrency information, and is available as a subscription service to cybercriminals. The ruse involves a deceptive ad that appears legitimate, using a URL similar to the official Homebrew site, misleading users to download malware. Security experts have observed similar tactics in previous campaigns targeting users of Google Meet and Google Ads services. The Homebrew project leader criticized Google for insufficient scrutiny over its ads, indicating recurring issues with malvertising. Despite Google taking down the malicious advertisement, similar threats remain prevalent, prompting caution among internet users. Users are advised to bookmark and directly visit official software sites to avoid falling victim to such scams.

Nearly 50,000 Fortinet firewall interfaces remain vulnerable to an actively exploited zero-day vulnerability, despite available patches. The vulnerability, identified as CVE-2024-55591, was disclosed a week ago, but the pace of updates has been slow, with high exposure especially in Asia. The zero-day exploit has allowed attackers to steal credentials and escalate privileges within networks, according to Arctic Wolf Labs. Fortinet has confirmed that data including configurations and passwords were stolen using another zero-day in 2022 by the Belsen Group, a new criminal entity. The stolen data was recently leaked online, primarily affecting SMBs, but also larger organizations and government entities. Devices bought after December 2022 are not affected by this specific breach, and Fortinet is reaching out to potentially compromised customers. The security patch slowdown occurs amidst a difficult period for Fortinet, which includes multiple critical vulnerabilities and a problematic disclosure history in recent months.

A critical vulnerability within 7-Zip allowed attackers to bypass Mark of the Web (MoTW) security, enabling execution of malicious code on user PCs. Despite added MoTW support in June 2022, a flaw persisted in 7-Zip that failed to transfer MoTW flags to files extracted from nested archives. Microsoft Office's Protected View, which relies on detecting MoTW flags to restrict document functionality, was subverted due to this security oversight. Trend Micro's discovery of the CVE-2025-0411 vulnerability prompted an urgent fix by 7-Zip, released in version 24.09 on November 30, 2024. There is no auto-update feature for 7-Zip, potentially leaving numerous users exposed to malware infections if the latest patch is not manually installed. Historical misuse of similar MoTW bypass vulnerabilities includes exploits by malware groups targeting various applications and platforms for financial gain and unauthorized access.

Ransomware groups are using Microsoft Teams to pose as IT support and deceive employees into installing malware, granting hackers full network access. Attack techniques include email bombing followed by a Teams call from a fake ‘Help Desk Manager’ to set up remote control sessions. Once access is gained, malware such as a Java archive and Python scripts create encrypted communication channels with external IPs, allowing remote command and control. Observed attacks involve initial data theft intentions, progressing towards ransomware deployment, with FIN7 potentially linked to these strategies. Attackers employ various tools for lateral movements and persistence, leveraging public code and obfuscation methods previously associated with FIN7. Sophos research suggests medium confidence in the connection of these ransomware attacks to the known cybercriminal group FIN7, which is known for tool sharing. Recommendations include blocking external Microsoft Teams calls and messages, and disabling Microsoft Quick Assist in security-sensitive environments.

AI SPERA has partnered with OnTheHub to distribute the Criminal IP cybersecurity solution across global educational institutions. The collaboration aims to improve cybersecurity awareness and protection in the education sector, providing solutions that comply with international standards. Criminal IP is now accessible to students and educational organizations worldwide, enhancing its position in the global security market. Users can activate Criminal IP by redeeming coupons available through OnTheHub, allowing access to an advanced Cyber Threat Intelligence platform at a reduced cost. The solution leverages AI and machine learning to perform real-time risk analyses and identify security threats across various digital infrastructures. Criminal IP features include monitoring and managing IT assets and detecting malicious network activities, all integrated via a user-friendly platform. This partnership aligns with the digital transformation trends in education, focusing on enhancing learning management systems and other educational technologies. AI SPERA's CEO expressed enthusiasm about providing a cost-effective, high-quality cybersecurity tool to support safe digital learning environments.

Cybersecurity experts report a new campaign exploiting vulnerabilities in AVTECH IP cameras and Huawei HG532 routers, creating a Mirai botnet variant called Murdoc_Botnet. Active since July 2024, this scheme has compromised over 1,370 devices across Malaysia, Mexico, Thailand, Indonesia, and Vietnam. Attackers exploit known vulnerabilities (CVE-2017-17215 and CVE-2024-7029) to commandeer IoT devices and propagate malicious software based on device CPU architecture. The main objective of these cyber attacks is to assemble vast botnet networks that facilitate large-scale DDoS attacks. The Murdoc_Botnet operation shows improved capabilities by deploying advanced payloads and scripts to manage and execute the bot malware. Recent attacks have heavily targeted sectors including telecommunications, cloud computing, banking, and gaming across several countries including Japan, the U.S., and India. Recommendations for defending against these threats include monitoring unusual process activities, event anomalies, and network traffic, along with urging firmware updates and altered default credentials.

Hewlett Packard Enterprise (HPE) is investigating claims by IntelBroker about unauthorized access to HPE systems and the theft of source code. IntelBroker, known for past cybercriminal activities, alleged possession of HPE data, including source code from GitHub, Docker builds, and SAP Hybris. HPE activated its incident response protocols immediately after being notified of the potential breach on January 16, taking measures such as disabling related credentials. The company confirmed no current operational impact or evidence indicating customer information was compromised. The stolen data is reportedly being offered for sale on a cybercrime forum, suggesting that personally identifiable information (PII) from old records is also available. Europol and previous incidents suggest IntelBroker typically fulfills some of their threats, prompting heightened caution and verification efforts. IntelBroker is also linked to the notorious Valhalla doxxing gang and potentially the AgainstTheWest group, a detail uncovered by cybersecurity firm Kela.

A network of approximately 13,000 compromised MikroTik routers is being used to distribute malware through spam campaigns. The botnet, known as Mikro Typo, leverages DNS misconfigurations to bypass email protections, sending emails that mimic legitimate domains. The malicious emails contain a ZIP file with a JavaScript file that, upon execution, connects to a command-and-control server. The routers have been compromised via various methods, with some attacks exploiting a critical vulnerability, CVE-2023-30799. Compromised routers are configured to use SOCKS proxies, disguising the origin of malicious traffic and facilitating other cybercrimes like DDoS and phishing. The attackers have exploited SPF misconfigurations on 20,000 domains to send emails impersonating these domains, effectively circumventing email security measures. Security recommendations for MikroTik device owners include updating firmware and changing default credentials to prevent further exploits. The presence and function of the SOCS proxies are making it difficult for defenders to trace and mitigate the attacks, underscoring the need for enhanced security strategies.

Asif William Rahman, a former CIA analyst, admitted to unlawfully sharing top-secret National Defense Information with unauthorized parties. Rahman was charged with two counts of unauthorized transmission of classified data and pleaded guilty in November 2024. He is set to be sentenced on May 15, 2025, and could face a maximum of 10 years in prison. Documents retained and shared included information on planned actions by a U.S. ally against a foreign adversary, originally classified as Top Secret. The leaked documents appeared on social media, linking the information to planned military actions by Israel against Iran. Rahman altered and deleted records and written work to cover his tracks and mislead investigations. The FBI emphasized the breach of trust and the elaborate efforts taken by Rahman to conceal his activities.