Information Security News – 3/3/2025

Anagram Takes a Gamified Approach to Employee Security Training

Article link: https://techcrunch.com/2025/02/26/anagram-takes-a-gamified-approach-to-employee-cybersecurity-training/

• Startup company Anagram is utilizing gamification to transform traditional, often mundane security training into dynamic learning experiences. The company offers bite-sized videos and interactive puzzles designed to engage employees and enhance their understanding of security protocols.
• By incorporating game-like, behavior-modifying elements inspired by TikTok, Duolingo, and Khan Academy, Anagram addresses the challenge of employee disengagement in training programs and promotes a more proactive security culture within organizations. Thomson Reuters, MassMutual, and Disney are among the companies that have experienced the benefits Anagram’s training offers.
• An engaged workforce is better equipped to identify and respond to security challenges. Anagram’s partner companies report a decrease in phishing failure rates from 20% to 6%.
• Even with gamification, regular training schedules and continuous participation are key. Emphasizing the importance of ongoing education can lead to a more vigilant and informed team.

Understanding OWASP’s Top 10 List of Non-Human Identity Risks

Article Link: https://www.csoonline.com/article/3828216/understanding-owasps-top-10-list-of-non-human-identity-critical-risks.html

• OWASP has unveiled a new Top 10 list focusing on risks tied to non-human identities (NHI), such as API keys, service accounts, third-party applications, and automation scripts. These often-overlooked digital entities can introduce major security gaps if not properly managed.
• The report sheds light on key NHI threats, including secret leakage, excessive permissions, and weak credential management. All of these vulnerabilities and the accompanying NHI can go undetected for extended periods.
• Organizations relying on cloud and automation technologies are particularly at risk, as NHI often outnumber human identities at a rate of up to 50:1. Mismanagement in this area can open the door to supply chain attacks, data exfiltration, and service disruptions.
• Defensive measures include rotating credentials regularly, enforcing least privilege access, and continuously monitoring for anomalies. A proactive approach to managing NHI is necessary to prevent security blind spots.

Botnet Targets Basic Auth in Microsoft 365 Password Spray Attacks

Article Link: https://www.bleepingcomputer.com/news/security/botnet-targets-basic-auth-in-microsoft-365-password-spray-attacks/

• A botnet campaign of more than 130,000 compromised devices is targeting Microsoft 365 users through password-spraying attacks, exploiting weak and reused passwords across multiple accounts.
• Attackers are leveraging outdated authentication methods to automate login attempts at scale, with the goal of bypassing security defenses and gaining access to sensitive corporate data.
• As cloud-based collaboration tools remain a prime target, businesses dependent on M365 are facing an increased threat of account takeovers. Legacy authentication protocols remain a weak point.
• Businesses are reminded to strengthen access controls, enforce multifactor authentication, and disable legacy authentication to reduce their vulnerability to these attacks. As password spraying attacks grow in frequency, improving credential hygiene remains a fundamental security measure.

PayPal “New Address” Feature Abused to Send Phishing Emails

Article Link: https://www.bleepingcomputer.com/news/security/beware-paypal-new-address-feature-abused-to-send-phishing-emails/

• Attackers are exploiting PayPal’s “New Address” feature, using it to send fraudulent emails appearing legitimate. This method deceives users into believing unauthorized transactions have occurred.
• The abuse takes advantage of PayPal’s automated notifications, making phishing emails nearly indistinguishable from genuine alerts. Mail headers were analyzed to uncover how the scam was executed and identify a vulnerability on PayPal’s part, allowing the injection of these scam messages.
• As online payment fraud continues to evolve, both individuals and businesses face growing risks of account compromise. These deceptive tactics make traditional email security measures less effective.
• Users can reduce risk by verifying account changes directly within their PayPal dashboard, rather than relying on email notifications. Ongoing awareness of ever-maturing phishing techniques remails essential for account security.

61% of Hackers Use New Exploit Code Within 48 Hours of Attack

Article Link: https://www.infosecurity-magazine.com/news/hackers-use-exploit-code-within-48/

• A recent study from SonicWall found that 61% of cybercriminals deploy new exploit code within 48 hours of a vulnerability being disclosed. This rapid turnaround puts pressure on organizations to patch software and implement mitigations quickly to match threat actors’ speed of exploitation.
• Of note from the research are the numerous operational challenges faced by healthcare industry, which led to the total cost of an average attack in this sector being $4.91 million, more than 5 times the average ransom payment of $850,700 made to threat actors in 2024.
• Key recommendations provided in the report include implementing real-time patch management and zero-trust security modeling, ensuring tighter IoT security controls, and partnering with MSSPs for 24/7 threat modeling, among other actions.
• The report emphasizes the need for faster vulnerability management processes. Organizations with slower, more manual patching processes are at greater risk.
• Report: https://www.sonicwall.com/resources/white-papers/2025-sonicwall-cyber-threat-report

Have I Been Pwned Adds 284 million Accounts Stolen from Infostealer Malware

Article Link: https://www.bleepingcomputer.com/news/security/have-i-been-pwned-adds-284m-accounts-stolen-by-infostealer-malware/

• Data breach notification service Have I Been Pwned (HIBP) has added 284 million compromised accounts from infostealer malware logs. The stolen data was discovered circulating on Telegram in a collection named “ALIEN TXTBASE”, amounting to 1.5TB, significantly expanding HIBP’s database.
• The dataset includes 23 billion rows of stolen credentials, representing 493 million unique website and email address combinations. 244 million new passwords were added, while 199 million previously seen passwords had their exposure counts updated.
• The stolen passwords were confirmed legitimate through an analysis of password reset attempts, showing the data was actively being used for account takeovers. The availability of this data enables phishing campaigns, fraud, and unauthorized access.
• Individuals are encouraged to check HIBP to check for exposed credentials and take immediate action if affected. Regular password hygiene is essential to preventing unauthorized access.

How Nice that State-of-the-Art LLMs Reveal Their Reasoning…for Miscreants to Exploit

Article Link: https://www.theregister.com/2025/02/25/chain_of_thought_jailbreaking/ 

• Researchers have discovered that attackers are exploiting large language models (LLMs) by manipulating their reasoning process. A jailbreaking technique known as chain-of-thought (CoT) reasoning allows users to bypass security measures and extract restricted information.
• The researchers detailed their utilization of this technique on various LLMs in the paper out of Duke University, “H-CoT: Hijacking the Chain-of-Thought Safety Reasoning Mechanism to Jailbreak Large Reasoning Models, Including OpenAI o1/o3, DeepSeek-R1, and Gemini 2.0 Flash Thinking”.
• By carefully structuring prompts, attackers can guide AI models into revealing sensitive details, generating exploit code, or assisting in bypassing security controls, thereby unintentionally exposing vulnerabilities in digital systems.
• As LLMs become more widely integrated into business operations, concerns about their security implications continue to grow. Organizations relying on AI must continue to be aware of its risks.
• Research paper: https://arxiv.org/pdf/2502.12893

Employee Screener Confirms Data Breach Impacting Over 3 Million

Article Link: https://techcrunch.com/2025/02/25/us-employee-screening-giant-disa-says-hackers-accessed-data-of-more-than-3m-people/  

• DISA Global Solutions, a major US employee screening firm serving more than 55,000 enterprises and a third of the Fortune 500, has suffered a data breach compromising over 3 million people’s Social Security numbers, work history, and other personally identifiable information.
• The breach was confirmed in a filing with Maine’s attorney general on 2/24/2025, with a separate filing with the Massachusetts attorney general confirming more than 360,000 state residents affected.
• DISA reported being a victim of an incident on 4/22/2024, while an internal investigation determined network infiltration on 2/9/2024, with the attacker going unnoticed for over two months. It is unknown at this time who was responsible for the attack, how the compromise occurred, and why DISA’s breach notification has taken so long.
• With organizations increasingly relying on third-party vendors for background checks, the security of these service providers is a growing concern. Companies entrusting sensitive data to external firms must evaluate the risks associated with vendor security practices.

Apple Removed iCloud Encryption in UK Following Backdoor Demand

Article Link: https://securityaffairs.com/174500/security/apple-removes-icloud-encryption-in-uk.html

• Apple has removed Advanced Data Protection (ADP), its end-to-end encryption setting, from iCloud backups in the UK, citing compliance with the country’s Online Safety Act. This decision has raised concerns over data privacy for millions of users.
• The law requires tech companies to provide authorities with access to encrypted user data when requested. While officials claim this aids law enforcement, critics warn it weakens personal security.
• With tech regulations tightening globally, this move sets a precedent for future encryption debates. Similar demands could emerge in other countries, impacting data protection worldwide.
• Users may consider alternative encrypted backup solutions or adjust their storage habits to maintain control over sensitive information.