Welcome to this week’s Cybersecurity Information Recap. Uncover how cyber attackers are utilizing intelligent tips like faux codes and sneaky emails to achieve entry to delicate knowledge. We cowl the whole lot from gadget code phishing to cloud exploits, breaking down the technical particulars into easy, easy-to-follow insights.
Risk of the Week
Russian Risk Actors Leverage Gadget Code Phishing to Hack Microsoft Accounts — Microsoft and Volexity have revealed that risk actors with ties to Russia are leveraging a way generally known as gadget code phishing to achieve unauthorized entry to sufferer accounts, and use that entry to pay money for delicate knowledge and allow persistent entry to the sufferer atmosphere. At the very least three totally different Russia-linked clusters have been recognized abusing the method up to now. The assaults entail sending phishing emails that masquerade as Microsoft Groups assembly invites, which, when clicked, urge the message recipients to authenticate utilizing a risk actor-generated gadget code, thereby permitting the adversary to hijack the authenticated session utilizing the legitimate entry token.
High Information
- whoAMI Attack Exploits AWS AMI Identify Confusion for Distant Code Execution — A brand new sort of title confusion assault known as whoAMI permits anybody who publishes an Amazon Machine Picture (AMI) with a selected title to achieve code execution throughout the Amazon Net Companies (AWS) account. Datadog, which detailed the assault, stated roughly 1% of organizations monitored by the corporate had been affected by the whoAMI, and that it discovered public examples of code written in Python, Go, Java, Terraform, Pulumi, and Bash shell utilizing the susceptible standards. AWS informed The Hacker Information that there is no such thing as a proof of malicious exploitation of the security weak point.
- RansomHub Targets Over 600 Orgs Globally — The RansomHub ransomware operation has focused over 600 organizations internationally, spanning sectors reminiscent of healthcare, finance, authorities, and significant infrastructure, making it one of the energetic cybercrime teams in 2024. One such assault has been discovered to weaponize now-patched security flaws in Microsoft Energetic Listing and the Netlogon protocol to escalate privileges and achieve unauthorized entry to a sufferer community’s area controller as a part of their post-compromise technique.
- REF7707 Makes use of Outlook Drafts for Command-and-Management — A beforehand undocumented risk exercise cluster dubbed REF7707 has been noticed utilizing a distant administration device named FINALDRAFT that parses instructions saved within the mailbox’s drafts folder and writes the outcomes of the execution into new draft emails for every command. It makes use of the Outlook e-mail service through the Microsoft Graph API for command-and-control (C2) functions. The group has been noticed focusing on the international ministry of an unnamed South American nation, in addition to a telecommunications entity and a college, each situated in Southeast Asia.
- Kimsuky Embraces ClickFix-Model Attack Technique — The North Korean risk actor generally known as Kimsuky (aka Black Banshee) is utilizing a brand new tactic that entails deceiving targets into working PowerShell as an administrator after which instructing them to stick and run malicious code supplied by them. “To execute this tactic, the risk actor masquerades as a South Korean authorities official and over time builds rapport with a goal earlier than sending a spear-phishing e-mail with an [sic] PDF attachment,” Microsoft stated. Customers are then satisfied to click on on a URL, urging them to register their gadget in an effort to learn the PDF attachment. The top aim of the assault is to ascertain a knowledge communication mechanism that permits the adversary to exfiltrate knowledge.
- Regulation Enforcement Op Takes Down 8Base — A consortium of regulation enforcement businesses has arrested 4 Russian nationals and seized over 100 servers linked to the 8Base ransomware gang. The arrests had been made in Thailand. Two of the suspects are accused of working a cybercrime group that used Phobos ransomware to victimize greater than 1,000 private and non-private entities within the nation and internationally. The event comes within the aftermath of a collection of high-profile ransomware disruptions related to Hive, LockBit, and BlackCat lately. Late final 12 months, Evgenii Ptitsyn, a 42-year-old Russian nationwide believed to be the administrator of the Phobos ransomware, was extradited to the U.S.
️
Trending CVEs
Your go-to software program could possibly be hiding harmful security flaws—do not wait till it is too late! Replace now and keep forward of the threats earlier than they catch you off guard.
This week’s record contains — CVE-2025-1094 (PostgreSQL), CVE-2025-0108 (Palo Alto Networks PAN-OS), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-21391 (Microsoft Home windows Storage), CVE-2025-21418 (Microsoft Home windows Ancillary Perform Driver for WinSock), CVE-2024-38657, CVE-2025-22467, CVE-2024-10644 (Ivanti Join Safe), CVE-2024-47908 (Ivanti Cloud Companies Software), CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, CVE-2024-56135 (Progress Kemp LoadMaster), CVE-2025-24200 (Apple iOS and iPadOS), CVE-2024-12797 (OpenSSL), CVE-2025-21298 (Microsoft Home windows OLE), CVE-2025-1240 (WinZip), CVE-2024-32838 (Apache Fineract), CVE-2024-52577 (Apache Ignite), CVE-2025-26793 (Hirsch Enterphone MESH), CVE-2024-12562 (s2Member Professional plugin), CVE-2024-13513 (Oliver POS – A WooCommerce Level of Sale (POS) plugin), CVE-2025-26506 (HP LaserJet), CVE-2025-22896, CVE-2025-25067, CVE-2025-24865 (mySCADA myPRO Supervisor), CVE-2024-13182 (WP Directorybox Supervisor plugin), CVE-2024-10763 (Campress theme), CVE-2024-7102 (GitLab CE/EE), CVE-2024-12213 (WP Job Board Professional plugin), CVE-2024-13365 (Safety & Malware scan by CleanTalk plugin), CVE-2024-13421 (Actual Property 7 theme), and CVE-2025-1126 (Lexmark Print Administration Shopper).
Across the Cyber World
- Former Google Engineer Charged with Plan to Steal Commerce Secrets and techniques — Linwei Ding, a former Google engineer who was arrested final March for transferring “delicate Google commerce secrets and techniques and different confidential info from Google’s community to his private account,” has now been charged with seven counts of financial espionage and 7 counts of theft of commerce secrets and techniques associated to the corporate’s AI know-how between 2022 and 2023. This included detailed details about the structure and performance of Google’s Tensor Processing Unit (TPU) chips and programs and Graphics Processing Unit (GPU) programs, the software program that permits the chips to speak and execute duties, and the software program that orchestrates 1000’s of chips right into a supercomputer able to coaching and executing cutting-edge AI workloads. The commerce secrets and techniques additionally relate to Google’s custom-designed SmartNIC, a kind of community interface card used to reinforce Google’s GPU, excessive efficiency, and cloud networking merchandise. “Ding supposed to learn the PRC authorities by stealing commerce secrets and techniques from Google,” the U.S. Division of Justice stated. “Ding allegedly stole know-how regarding the {hardware} infrastructure and software program platform that permits Google’s supercomputing knowledge heart to coach and serve massive AI fashions.” The superseding indictment additionally acknowledged that Chinese language-sponsored expertise applications incentivize people engaged in analysis and growth outdoors the nation to transmit such info in trade for salaries, analysis funds, lab area, or different incentives. If convicted, Ding faces a most penalty of 10 years in jail and as much as a $250,000 nice for every trade-secret depend and 15 years in jail and a $5,000,000 nice for every financial espionage depend.
- Home windows UI Flaw Exploited by Mustang Panda — Israeli cybersecurity firm ClearSky has warned {that a} suspected Chinese language nation-state group generally known as Mustang Panda is actively exploiting a UI vulnerability in Microsoft Home windows. “When recordsdata are extracted from compressed ‘RAR’ recordsdata they’re hidden from the consumer,” the corporate stated. “If the compressed recordsdata are extracted right into a folder, the folder seems empty within the Home windows Explorer GUI. When utilizing the ‘dir’ command to record all recordsdata and folders contained in the goal folder, the extracted recordsdata and folders are ‘invisible/hidden’ to the consumer. Risk actors or customers may also execute these compressed recordsdata from a command line immediate, in the event that they know the precise path. Because of executing ‘attrib -s -h’ to system protected recordsdata, an unknown file sort is created from the sort ‘Unknown’ ActiveX element.” It is at the moment not clear who’re the targets of the assault, and what the top targets of the marketing campaign are.
- Meta Paid Over $2.3M in Bug Bounty Rewards in 2024 — Meta stated it paid out greater than $2.3 million in rewards to just about 200 security researchers as a part of its bug bounty program in 2024. In whole, the corporate has handed out greater than $20 million because the creation of this system in 2011. The highest three international locations based mostly on bounties awarded in 2024 are India, Nepal, and america.
- Important ThinkPHP and OwnCloud Flaws Beneath Energetic Exploitation — Risk actors are trying to actively exploit two recognized security vulnerabilities impacting ThinkPHP (CVE-2022-47945, CVSS rating: 9.8) and OwnCloud (CVE-2023-49103, CVSS rating: 10.0) over the previous few days, with assaults originating from a whole lot of distinctive IP addresses, most of that are based mostly in Germany, China, the U.S., Singapore, Hong Kong, the Netherlands, the U.Ok., and Canada. Organizations are beneficial to use the mandatory patches (ThinkPHP to six.0.14+ and ownCloud GraphAPI to 0.3.1+) and limit entry to scale back the assault floor.
- FSB Mole Arrested in Ukraine — The Secret Service of Ukraine (SSU) stated it had detained one among its personal high-level officers, accusing them of performing as a mole for Russia. The person, one of many officers of the SSU Counterterrorism Heart, is alleged to have been recruited by Russia’s Federal Safety Service (FSB) in Vienna in 2018, and actively started partaking in espionage on the finish of December final 12 months, transmitting paperwork containing state secrets and techniques, to the intelligence company through a “particular cell phone.” The SSU, upon studying of the person’s actions, stated it “used him in a counterintelligence ‘sport’: by means of the traitor the SSU fed the enemy a considerable amount of disinformation.” The person’s title was not disclosed, however the Kyiv Unbiased stated it is Colonel Dmytro Kozyura, citing unnamed SSU sources.
- LLMjacking Hits DeepSeek — Malicious actors have been noticed capitalizing on the recognition of AI chatbot platform DeepSeek to conduct what’s known as LLMjacking assaults that contain promoting the entry obtained to authentic cloud environments to different actors for a worth. These assaults contain the usage of stolen credentials to permit entry to machine studying providers through the OpenAI Reverse Proxy (ORP), which acts as a reverse proxy server for LLMs of varied suppliers. The ORP operators cover their IP addresses utilizing TryCloudflare tunnels. In the end, the illicit LLM entry is used to generate NSFW content material, and malicious scripts, and even circumvent bans on ChatGPT in international locations like China and Russia, the place the service is blocked. “Cloud-based LLM utilization prices might be staggering, surpassing a number of a whole lot of 1000’s of {dollars} month-to-month,” Sysdig stated. “The excessive value of LLMs is the explanation cybercriminals select to steal credentials fairly than pay for LLM providers. Attributable to steep prices, a black marketplace for entry has developed round OAI Reverse Proxies — and underground service suppliers have risen to fulfill the wants of shoppers.”
- Romance Baiting Scams Soar 40% YoY — Pig butchering scams, additionally known as romance baiting, have accounted for 33.2% of the estimated $9.9 billion income earned by cybercriminals in 2024 from cryptocurrency scams, rising practically 40% year-over-year. Nevertheless, the typical deposit quantity to pig butchering scams declined 55% YoY, probably indicating a shift in how these scams are performed. “Pig butchering scammers have additionally advanced to diversify their enterprise mannequin past the ‘lengthy con’ of pig butchering scams — which may take months and even years of growing a relationship earlier than receiving sufferer funds — to faster turnaround employment or work-from-home scams that sometimes yield smaller sufferer deposits,” Chainalysis stated. Additional evaluation of on-chain exercise has discovered that HuiOne Assure is closely used for illicit crypto-based actions supporting the pig butchering business in Southeast Asia. Scammers have additionally been noticed utilizing generative AI know-how to facilitate crypto scams, usually to impersonate others or generate practical content material.
- Safety Points in RedNote Flagged — It isn’t simply DeepSeek. A brand new community security evaluation undertaken by the Citizen Lab has uncovered a number of points in RedNote’s (aka Xiaohongshu) Android and iOS apps. This contains fetching seen photographs and movies over HTTP, transmitting insufficiently encrypted gadget metadata, in addition to a vulnerability that permits community attackers to study the contents of any recordsdata that RedNote has permission to learn on the customers’ gadgets. Whereas the second vulnerability was launched by an upstream analytics SDK, MobTech, the third concern was launched by NEXTDATA. As of writing, all the issues stay unpatched. The vulnerabilities “might allow surveillance by any authorities or ISP, and never simply the Chinese language authorities,” the Citizen Lab stated.
- CISA Urges Orgs to Deal with Buffer Overflows — The U.S. Cybersecurity and Infrastructure Safety Company (CISA) and Federal Bureau of Investigation (FBI) have launched a Safe by Design Alert, urging organizations to remove buffer overflow vulnerabilities in software program. “These vulnerabilities can result in knowledge corruption, delicate knowledge publicity, program crashes, and unauthorized code execution,” the businesses stated, labeling them as unforgivable defects. “Risk actors continuously exploit these vulnerabilities to achieve preliminary entry to a corporation’s community after which transfer laterally to the broader community.” Saeed Abbasi, supervisor of vulnerability analysis at Qualys Risk Analysis Unit (TRU), emphasised the necessity to swap from reminiscence unsafe languages. “Legacy excuses are out; the world has zero tolerance for memory-unsafe code in 2025,” Abbasi stated. “Sure, rewriting previous programs is daunting, however letting attackers exploit decades-old buffer overflows is worse. Organizations nonetheless clinging to unsafe languages danger turning minor vulnerabilities into huge breaches—and so they cannot declare shock. We have had confirmed fixes for ages: phased transitions to Rust or different memory-safe choices, compiler-level safeguards, thorough adversarial testing, and public commitments to a secure-by-design roadmap. The actual problem is collective will: management should demand memory-safe transitions, and software program patrons should maintain distributors accountable.”
- International Adversaries Goal Native Communities within the U.S. for Affect Ops — A brand new report from the Alliance for Securing Democracy (ASD) has discovered that international nation-state actors from Russia, China, and Iran are working affect operations that exploit belief in native sources and affect state and native communities within the U.S. with an intention to control public opinion, stoke discord, and undermine democratic establishments. “In some circumstances, adversarial nations search favorable outcomes round native coverage points; in others, they use native debates as Trojan horses to advance their broader geopolitical agendas,” the analysis stated. Russia emerged as probably the most energetic risk actor, with 26 documented circumstances designed to polarize People by means of themes associated to immigration and election integrity. Beijing, alternatively, sought to domesticate assist for Chinese language state pursuits.
- Monetary Orgs Requested to Change to Quantum-Secure Cryptography — Europol is urging monetary establishments and policymakers to transition to quantum-safe cryptography, citing an “imminent” risk to cryptographic security as a result of fast development of quantum computing. The first danger is that risk actors might steal encrypted knowledge at the moment with the intention of decrypting it sooner or later utilizing quantum computing, a way known as “harvest now, decrypt later” or retrospective decryption. “A sufficiently superior quantum laptop has the potential to interrupt extensively used public-key cryptographic algorithms, endangering the confidentiality of monetary transactions, authentication processes, and digital contracts,” the company stated. “Whereas estimates counsel that quantum computer systems able to such threats might emerge throughout the subsequent 10 to fifteen years, the time required to transition away from susceptible cryptographic strategies is critical. A profitable transition to post-quantum cryptography requires collaboration amongst monetary establishments, know-how suppliers, policymakers, and regulators.” Final 12 months, the U.S. Nationwide Institute of Requirements and Know-how (NIST) formally introduced the primary three “quantum-safe” algorithms.
- Google Addresses Excessive Influence Flaws — Google has addressed a pair of security flaws that could possibly be chained by malicious actors to unmask the e-mail deal with of any YouTube channel proprietor’s e-mail deal with. The primary of the 2 is a vulnerability recognized in a YouTube API that might leak a consumer’s GAIA ID, a singular identifier utilized by Google to handle accounts throughout its community of websites. This ID might then be fed as enter to an outdated net API related to Pixel Recorder to transform it into an e-mail when sharing a recording. Following accountable disclosure on September 24, 2024, the problems had been resolved as of February 9, 2025. There isn’t a proof that these shortcomings had been ever abused within the wild.
- New DoJ Actions Goal Crypto Fraud — Eric Council Jr., 25, of Alabama, has pleaded responsible to costs associated to the January 2024 hacking of the U.S. Securities and Trade Fee’s (SEC) X account. The account was taken over to falsely announce that the SEC authorised BTC Trade Traded Funds, inflicting a spike within the worth of bitcoin. The assault was carried out by means of an unauthorized Subscriber Id Module (SIM) swap carried out by the defendant, tricking a cell phone supplier retailer to reassign the sufferer’s cellphone quantity to a SIM card of their possession utilizing a fraudulent id card printed utilizing an ID card printer. Council, who was arrested in December 2024, pleaded responsible to conspiracy to commit aggravated id theft and entry gadget fraud. If convicted, he faces a most penalty of 5 years in jail. In a associated growth, a 22-year-old man from Indiana, Evan Frederick Gentle, was sentenced to twenty years in federal jail for working an enormous cryptocurrency theft scheme from his mom’s basement. Gentle broke into an funding holdings firm in South Dakota in February 2022, stealing prospects’ private knowledge and cryptocurrency value over $37 million from practically 600 victims. The stolen cryptocurrency was then funneled to varied places all through the world, together with a number of mixing providers and playing web sites to hide his id and to cover the digital forex. Individually, the Justice Division has additionally charged Canadian nationwide Andean Medjedovic, 22, for exploiting sensible contract vulnerabilities in two decentralized finance crypto platforms, KyberSwap and Listed Finance, to fraudulently get hold of about $65 million from the protocols’ traders between 2021 and 2023. A grasp’s diploma holder in arithmetic from the College of Waterloo, Medjedovic can be alleged to have laundered the proceeds by means of mixers and bridge transactions in an try to hide the supply and possession of the funds. Medjedovic is charged with one depend of wire fraud, one depend of unauthorized harm to a protected laptop, one depend of tried Hobbs Act extortion, one depend of cash laundering conspiracy, and one depend of cash laundering. He faces over 30 years in jail.
- U.S. Lawmakers Warn Towards U.Ok. Order for Backdoor to Apple Data— After reviews emerged that security officers within the U.Ok. have ordered Apple to create a backdoor to entry any Apple consumer’s iCloud content material, U.S. Senator Ron Wyden and Member of Congress Andy Biggs have despatched a letter to Tulsi Gabbard, the Director of Nationwide Intelligence, urging the U.Ok. to retract its order, citing it threatens the “privateness and security of each the American individuals and the U.S. authorities. “If the U.Ok. doesn’t instantly reverse this harmful effort, we urge you to reevaluate U.S.-U.Ok. cybersecurity preparations and applications in addition to U.S. intelligence sharing with the U.Ok.,” they added. The purported Apple backdoor request would reportedly enable authorities to entry knowledge at the moment secured by Superior Data Safety, probably affecting customers worldwide. Wyden has additionally launched a draft model of the World Belief in American On-line Companies Act that seeks to “safe People’ communications in opposition to abusive international calls for to weaken the security of communications providers and software program utilized by People.” Whereas the security consultants have criticized the order, British officers have neither confirmed nor denied it.
Cybersecurity Webinars
- Webinar 1: From Code to Runtime: Rework Your App Safety — Be a part of our webinar with Amir Kaushansky from Palo Alto Networks and see how ASPM can change your app security. Learn to join code particulars with reside knowledge to repair gaps earlier than they change into dangers. Uncover sensible, proactive methods to guard your functions in real-time.
- Webinar 2: From Debt to Protection: Repair Id Gaps Quick — Be a part of our free webinar with consultants Karl Henrik Smith and Adam Boucher as they present you easy methods to spot and shut id gaps with Okta’s Safe Id Evaluation. Be taught easy steps to streamline your security course of, give attention to key fixes, and construct a stronger protection in opposition to threats.
P.S. Know somebody who might use these? Share it.
Cybersecurity Instruments
- WPProbe — It is a quick WordPress plugin scanner that makes use of REST API enumeration to stealthily detect put in plugins with out brute power, scanning by querying uncovered endpoints and matching them in opposition to a precompiled database of over 900 plugins. It even maps detected plugins to recognized vulnerabilities (CVE) and outputs leads to CSV or JSON format, making your scans each speedy and fewer prone to set off security defenses.
- BruteShark — It is a highly effective and user-friendly Community Forensic Evaluation Device constructed for security researchers and community directors. It digs deep into PCAP recordsdata or reside community captures to extract passwords, rebuild TCP classes, map your community visually, and even convert password hashes for offline brute power testing with Hashcat. Accessible as a Home windows GUI or a flexible CLI for Home windows and Linux.
Tip of the Week
Section Your Wi-Fi Community for Higher Safety — In at the moment’s sensible house, you probably have many linked gadgets—from laptops and smartphones to sensible TVs and numerous IoT devices. When all these gadgets share the identical Wi‑Fi community, a breach in a single gadget might probably put your complete community in danger. Residence community segmentation helps shield you by dividing your community into separate elements, just like how massive companies isolate delicate info.
To set this up, use your router’s visitor community or VLAN options to create totally different SSIDs, reminiscent of “Home_Private” for private gadgets and “Home_IoT” for sensible devices. Guarantee every community makes use of sturdy encryption (WPA3 or WPA2) with distinctive passwords, and configure your router so gadgets on one community can not talk with these on one other. Take a look at your setup by connecting your gadgets accordingly and verifying that cross-network site visitors is blocked, then periodically verify your router’s dashboard to maintain the configuration working easily.
Conclusion
That wraps up this week’s cybersecurity information. We have lined a broad vary of tales—from the case of a former Google engineer charged with stealing key AI secrets and techniques to hackers benefiting from a Home windows consumer interface flaw. We have additionally seen how cybercriminals are shifting into new areas like AI misuse and cryptocurrency scams, whereas regulation enforcement and business consultants work onerous to catch up.
These headlines remind us that cyber threats are available many varieties, and daily, new dangers emerge that may have an effect on everybody from massive organizations to particular person customers. Regulate these developments and take steps to guard your digital life. Thanks for becoming a member of us, and we look ahead to holding you knowledgeable subsequent week.
