At a glance.
- Cyber Command ordered to halt offensive operations against Russia during Ukraine negotiations.
- Ransomware actors exploit Paragon Partition Manager vulnerability.
- Amnesty International publishes analysis of Cellebrite exploit chain.
- California orders data broker to shut down for violating the Delete Act.
Cyber Command ordered to halt offensive operations against Russia during Ukraine negotiations.
The Record reports that US Defense Secretary Pete Hegseth has ordered Cyber Command to halt offensive cyber operations against Russia. The full scope of the directive is unclear, but it does not include the NSA or its signals intelligence operations targeting Russia. The Washington Post cites a current US official familiar with the order as saying the pause is meant to last only as long as negotiations over the war in Ukraine continue. The Post says the operations being halted "could include exposing or disabling malware found in Russian networks before it can be used against the United States, blocking Russian hackers from servers that they may be preparing to use for their own offensive operations or disrupting a site promoting anti-U.S. propaganda."
The New York Times notes, "Former officials said it was common for civilian leaders to order pauses in military operations during sensitive diplomatic negotiations, to avoid derailing them. Still, for President Trump and Mr. Hegseth, the retreat from offensive cyberoperations against Russian targets represents a huge gamble. It essentially counts on Mr. Putin to reciprocate by letting up on what many call the 'shadow war' underway against the United States and its traditional allies in Europe."
The Pentagon declined to comment on the report. A senior Defense official told the Record, "Due to operational security concerns, we do not comment nor discuss cyber intelligence, plans, or operations. There is no greater priority to Secretary Hegseth than the safety of the Warfighter in all operations, to include the cyber domain."
Ransomware actors exploit Paragon Partition Manager vulnerability.
Researchers at Microsoft discovered five vulnerabilities affecting a driver used by Paragon Partition Manager, one of which is being exploited by ransomware actors, BleepingComputer reports. Microsoft has observed ransomware attackers using the flaw to achieve SYSTEM-level privilege escalation before executing additional malware.
An advisory from the CERT Coordination Center (CERT/CC) explains, "An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine. Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed."
Paragon Software has issued patches for the flaws, and users of Partition Manager should upgrade to the latest version.
Amnesty International publishes analysis of Cellebrite exploit chain.
Amnesty International has published a follow-up to its December 2024 report on the Serbian government's alleged misuse of Cellebrite's cell phone data extraction tool. Amnesty's latest report, published on Friday, outlines "a new case of misuse of a Cellebrite product to break into the phone of a youth activist in Serbia." The report shares technical details on "a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite."
Amnesty explains, "The exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone’s lock screen and gain privileged access on the device. As the exploit targets core Linux kernel USB drivers, the impact is not limited to a particular device or vendor and could affect a very wide range of devices. The same vulnerabilities could also expose Linux computers and Linux-powered embedded devices to physical attacks, although there is no evidence of this exploit chain has been designed to target non-Android Linux devices."
Last week, Cellebrite announced it would suspend its services in Serbia, citing Amnesty's December report.
California orders data broker to shut down for violating the Delete Act.
The state of California's Privacy Protection Agency (CPPA) last Thursday ordered a data broker to cease operations for three years for failing to register with the state, the Record reports. The California Delete Act, which took effect in January 2024, requires data brokers to register with the CPPA in order to provide a mechanism through which consumers can request to have their data deleted. The broker in this case, called "Background Alert," has agreed to the settlement terms. The Record notes that such a ruling against a data broker is unprecedented.
