February 26 2025 – Cyber Briefing – Copy

👉 What’s trending in cybersecurity today?

Auto-Color Linux Backdoor, PicassoLoader Variant, Belarus, Ukrainian Activists, Military, Malware Campaign, Truesight Driver, Gh0st RAT, Cross-Site Scripting Flaw, Essential Addons Plugin, WordPress, Rsync Flaws, DISA,Data Breach, Have I Been Pwned, ALIEN TXTBASE Leak, 23 Billion Credentials, Orange Romania Cyberattack, Payment Details, Northern Caribbean University, Cyberattack, LockBit Ransomware, Sweden, WhatsApp, Signal, UK Home Office, Vulnerability Reporting, NinjaOne, Funding, Endpoint Management, Hackers, Exploit Codes, Skybox Security, Shuts Down, Tufin.

Listen to the full podcast

🚨 Cyber Alerts

1. Auto-Color Linux Backdoor Targets Government

A new Linux backdoor called Auto-Color has been discovered targeting universities and government organizations in North America and Asia. The malware is evasive, designed to maintain long-term access to infected systems while being difficult to remove. It uses custom encryption to conceal command-and-control communications and can perform multiple malicious actions, including opening reverse shells and acting as a proxy for attackers.

2. Ghostwriter Targets Ukraine with Malware

A new malware campaign has been discovered targeting opposition activists in Belarus and Ukrainian military organizations. This operation, attributed to the Belarus-aligned Ghostwriter group, utilizes Microsoft Excel documents with malicious macros to deliver a variant of the PicassoLoader malware. The campaign has been ongoing since 2024 and continues to target victims using socially engineered documents, primarily those related to Ukraine, with disguised macros.

3. Malware Exploits Drivers to Deploy Gh0st RAT

A large-scale malware campaign has been identified using a vulnerable Windows driver linked to Adlice’s product suite to bypass detection and deliver the Gh0st RAT malware. Researchers found that the attackers modified variants of the driver to evade detection by altering PE parts while keeping the signature valid. The campaign involved the use of a legacy driver called Truesight.sys, with thousands of variants found, primarily targeting victims in China, Singapore, and Taiwan.

4. XSS Flaw Found in Popular WordPress Plugin

A critical vulnerability in the Essential Addons for Elementor plugin, used on over 2 million WordPress sites, exposed users to reflected cross-site scripting (XSS) attacks. This flaw, tracked as CVE-2025–24752, allowed attackers to inject malicious scripts through URL parameters, exploiting insufficient input sanitization. The vulnerability, found in the password reset feature, could lead to session hijacking, phishing, or malware distribution.

5. Rsync Flaws Expose Servers to Attacks

A series of critical vulnerabilities in the Rsync file synchronization tool have put millions of servers at risk. Exploiting flaws in Rsync versions 3.2.7 and earlier, attackers can gain remote code execution, leak sensitive data, and manipulate file systems. One of the most severe vulnerabilities involves a heap buffer overflow, enabling attackers to overwrite critical data structures and achieve server compromise.

💥 Cyber Incidents

6. DISA Exposes Personal Data of Millions

A cybersecurity breach at DISA Global Solutions has compromised the personal information of over 3.3 million individuals, including 15,198 residents from Maine. The breach, which was first detected after a 76-day delay, exposed sensitive data such as Social Security numbers and employment histories. Although there is no evidence of data misuse, cybersecurity experts are concerned about the potential risks of identity theft and financial fraud due to the delayed detection.

7. Have I Been Pwned Uncovers Massive Data Leak

Cybersecurity service Have I Been Pwned (HIBP) disclosed one of its largest data exposure events in history, unveiling 23 billion rows of stolen credentials tied to a malware operation called ALIEN TXTBASE. The breach involves 493 million website-email pairs, 284 million unique email addresses, and 244 million new passwords added to HIBP’s Pwned Passwords database. The data originated from a Telegram channel distributing stealer logs from malware-infected devices, which have been linked to global cybercrime networks.

8. Orange Romania Cyberattack Exposes Data

Orange Romania confirmed a cyberattack by hacker “Rey” from the HellCat ransomware group. The breach compromised 6.5 GB of data, including emails of current and former employees, payment card details, and information on customers of Yoxo, a no-contract subscription service. Despite the breach occurring in a non-critical back-office application, Orange has responded promptly, launching an investigation and cooperating with authorities to mitigate the attack’s impact.

9. Northern Caribbean University Cyberattack

Northern Caribbean University in Mandeville, Jamaica, is facing a significant cyberattack that has disrupted access to its online platforms. The attack has impacted the university’s Aeorion LMS, SMS, and main website, forcing the institution to shift classes to Zoom while face-to-face sessions continue. The university has engaged external cyber support services and is working with government agencies to resolve the situation and restore normal operations.

10. Siberian Dairy Plant Hit by LockBit Attack

Semyonishna, the largest dairy processing plant in southern Siberia, was recently targeted in a ransomware attack attributed to the LockBit variant. The breach occurred in December and is believed to be linked to the plant’s support for Russian troops in Ukraine. During the attack, hackers employed the remote access tool AnyDesk to infiltrate the plant’s systems, encrypting company data. The plant, located in the Russian republic of Khakassia, is a key supplier of dairy products like milk, cheese, yogurt, and sour cream, making the disruption impactful for both local and regional consumers.

📢 Cyber News

11. Sweden Seeks for Backdoors in Messaging Apps

Swedish authorities are advocating for legislation that would compel messaging apps like Signal and WhatsApp to create technical backdoors for accessing encrypted communications. Signal has stated it would leave Sweden if such a law passes, as it could weaken the security of the app’s network. Despite opposition from privacy advocates and the Swedish Armed Forces, the bill may be introduced in the Riksdag next year, highlighting the global debate over encryption and law enforcement access.

12. UK Vulnerability Reporting Faces Legal Risks

The UK Home Office has introduced a new vulnerability reporting mechanism through HackerOne, which allows ethical hackers to report cybersecurity issues. However, the guidance issued with the platform warns researchers they must not break any laws, including those under the Computer Misuse Act of 1990. This places individuals at risk of prosecution, even if they follow the rules and report vulnerabilities in good faith, according to the CyberUp Campaign.

13. NinjaOne Secures 500 Million in Series C

NinjaOne, a Texas-based startup, has secured $500 million in Series C extensions, raising its valuation to $5 billion. The capital, from ICONIQ Growth and CapitalG, will fuel advancements in autonomous endpoint management, including automated patching and vulnerability remediation. The funds will also support NinjaOne’s $252 million acquisition of Dropsuite, enhancing its cloud data backup and recovery offerings.

14. Hackers Use New Exploit Code Within 48 Hours

In 2024, cyber-criminals have significantly increased the speed with which they exploit vulnerabilities. According to SonicWall’s Annual Cyber Threat Report, 61% of hackers are using newly discovered exploit code within 48 hours of an attack. This rapid response to vulnerabilities has made defending against cyber threats more challenging for companies, especially small to medium-sized businesses (SMBs).

15. Skybox Security Shuts Down and Sells Assets

Skybox Security has shut down abruptly, laying off its entire workforce in Israel and the United States following the sale of its assets to Israeli cybersecurity firm Tufin. The closure, announced by CEO Mordecai Rosen, impacts about 300 employees and follows a series of significant investments in the company, including $335 million raised over the years. Tufin, which now owns Skybox’s technology, has committed to supporting affected customers with a transition program designed to ensure a smooth continuation of services.