Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists

Mar 03, 2025Ravie Lakshmanan

This week, a 23-year-old Serbian activist discovered themselves on the crossroads of digital hazard when a sneaky zero-day exploit turned their Android machine right into a goal. In the meantime, Microsoft pulled again the curtain on a scheme the place cybercriminals used AI instruments for dangerous pranks, and a large trove of dwell secrets and techniques was found, reminding us that even the instruments we depend on can conceal dangerous surprises.

We have sifted via a storm of cyber threats—from phishing scams to malware assaults—and damaged down what it means for you in clear, on a regular basis language. Get able to dive into the small print, perceive the dangers, and learn to shield your self in an more and more unpredictable on-line world.

Risk of the Week

Serbian Youth Activist Focused by Android 0-Day Exploit Chain — A 23-year-old Serbian youth activist had their Android telephone focused by a zero-day exploit chain developed by Cellebrite to unlock the machine and certain deploy an Android spy ware known as NoviSpy. The failings mixed CVE-2024-53104 with CVE-2024-53197 and CVE-2024-50302 to escalate privileges and obtain code execution. The vulnerabilities, initially current throughout the Linux kernel, had been addressed in December 2024. CVE-2024-53104 has since been addressed in Android as of early February 2025. In response to the event, Cellebrite mentioned it would now not permit Serbia to make use of its software program, stating “we discovered it applicable to cease using our merchandise by the related prospects at the moment.”

Prime Information

• Microsoft Unmasks Folks Behind LLMjacking Scheme — Microsoft revealed the identities of 4 people who it mentioned had been behind an Azure Abuse Enterprise scheme that includes leveraging unauthorized entry to generative synthetic intelligence (GenAI) providers to be able to produce offensive and dangerous content material. The marketing campaign, additionally known as LLMjacking, has focused numerous AI service suppliers, with the menace actors promoting the entry to different legal actors to facilitate the illicit technology of non-consensual intimate photos of celebrities and different sexually specific content material in violation of its insurance policies.
• Frequent Crawl Dataset Accommodates Practically 12,000 Dwell Secrets and techniques — An evaluation of a December 2024 archive from Frequent Crawl has uncovered practically 12,000 dwell secrets and techniques, as soon as once more highlighting how hard-coded credentials pose a extreme safety danger to customers and organizations alike. Moreover, in addition they have the unintended aspect impact of exacerbating an issue the place giant language fashions (LLMs) find yourself suggesting insecure coding practices to their customers because of the presence of hard-coded credentials in coaching knowledge.
• Silver Fox APT Makes use of Winos 4.0 to Goal Taiwanese Orgs — Taiwanese firms have been focused through phishing emails that masquerade because the nation’s Nationwide Taxation Bureau with an intention to ship the Winos 4.0 (aka ValleyRAT) malware. Winos, derived from Gh0st RAT, is a modular malware framework that acts each as a distant entry trojan and a command-and-control (C2) framework. The malware has additionally been propagated through trojanized installers for Philips DICOM viewers. A majority of those artifacts have been detected in the US and Canada, indicating a doable growth of the Silver Fox APT’s focusing on to new areas and sectors.
• Australia Bans Kaspersky Merchandise from Authorities Networks — Australia has change into the newest nation to ban the set up of safety software program from Russian firm Kaspersky, citing “unacceptable safety danger to Australian Authorities, networks and knowledge.” Beneath the brand new directive, authorities entities are prohibited from putting in Kaspersky’s merchandise and internet providers on authorities programs and units efficient April 1, 2025. They’ve additionally been really useful to take away all current situations by the cutoff date.
• Bybit Hack Formally Attributed to Lazarus Group — The North Korea-linked Lazarus Group has been implicated within the record-breaking hack of crypto change Bybit that led to the theft of $1.5 billion in digital belongings. The assault has been attributed to a menace cluster dubbed TraderTraitor, which was beforehand behind the theft of cryptocurrency price $308 million from cryptocurrency firm DMM Bitcoin in Could 2024. Additional investigation has discovered that the hack was carried out by compromising one of many developer’s machines related to multisig pockets platform Secure{Pockets} which affected an account operated by Bybit. “The Bybit assault mirrors North Korea’s established techniques of focusing on centralized crypto exchanges via strategies similar to phishing, provide chain compromises, and personal key theft-strategies,” TRM Labs mentioned. An infrastructure evaluation has additionally discovered that the menace actors registered a pretend area named bybit-assessment[.]com a number of hours earlier than the theft occurred. Silent Push, which found the area, instructed The Hacker Information it discovered no data to tie the bogus area to the precise hack itself. It is believed that the area could have been arrange as a part of one other associated marketing campaign codenamed Contagious Interview. The corporate additionally famous that the menace actors behind the Contagious Interview marketing campaign are actively focusing on numerous cryptocurrency firms similar to Stripe, Coinbase, Binance, Block, Ripple, Robinhood, Tether, Circle, Kraken, Gemini, Polygon, Chainalysis, KuCoin, eToro, Bitstamp, Bitfinex, Gate.io, Pantera Capital, Galaxy, Bitwise Asset Administration, Bitwise Investments, BingX, Gauntlet, XY Labs, YouHodler, MatChain, Bemo, Barrowwise, Bondex, Halliday, Holidu, Hyphen Join, and Windranger. “Anybody making use of for a job at one among these firms must be looking out for suspicious job presents or suspicious interview techniques,” the corporate added.

‎️‍ Trending CVEs

Your go-to software program could possibly be hiding harmful safety flaws—do not wait till it is too late! Replace now and keep forward of the threats earlier than they catch you off guard.

This week’s record consists of — CVE-2025-27364 (MITRE Caldera), CVE-2025-24752 (Important Addons for Elementor plugin), CVE-2025-27090 (Sliver), CVE-2024-34331 and its bypass (Parallels Desktop), CVE-2025-0690 (GRUB2), CVE-2024-12084, CVE-2024-12085,CVE-2024-12086, CVE-2024-12087, CVE-2024-12088 (RSync), CVE-2025-0475, CVE-2025-0555 (GitLab), CVE-2025-20111 (Cisco Nexus 3000 and 9000 Sequence Switches), CVE-2025-23363 (Siemens Teamcenter), CVE-2025-0514 (CVE-2025-0514), CVE-2025-1564 (SetSail Membership plugin), CVE-2025-1671 (Academist Membership plugin), CVE-2025-1638 (Alloggio Membership plugin), CVE-2024-12824 (Nokri – Job Board WordPress Theme theme), CVE-2024-9193 (WHMpress – WHMCS WordPress Integration Plugin plugin), CVE-2024-8420 (DHVC Kind plugin), CVE-2024-8425 (WooCommerce Final Reward Card plugin), CVE-2025-25570 (Vue Vben Admin), CVE-2025-26943 (Jürgen Müller Simple Quotes plugin), and CVE-2025-1128 (Everest Kinds – Contact Kinds, Quiz, Survey, E-newsletter & Cost Kind Builder for WordPress plugin).

Across the Cyber World

• Qualcomm and Google Announce Safety Partnership — Chipmaker Qualcomm introduced a partnership with Google with an intention to allow machine producers to offer as much as eight years of software program and safety updates. “Beginning with Android smartphones working on the Snapdragon 8 Elite Cellular Platform, Qualcomm Applied sciences now presents machine producers the power to offer help for as much as eight consecutive years of Android software program and safety updates,” the corporate mentioned. “Smartphones launching on new Snapdragon 8 and 7-series cell platforms may even be eligible to obtain this prolonged help.” The eight-year pledge, nonetheless, solely applies to units utilizing Arm-compatible Snapdragon 8 Elite chips and working Android 15, in addition to future iterations of the Snapdragon 8 and 7-series.
• Microsoft Removes 2 Malicious VSCode Extensions — Microsoft has taken down two well-liked VSCode extensions, ‘Materials Theme – Free’ and ‘Materials Theme Icons – Free,’ from the Visible Studio Market for allegedly containing malicious code. The 2 extensions have been downloaded practically 9 million occasions cumulatively. It is believed that the malicious code was launched in an replace to the extensions, indicating both a provide chain assault or a compromise of the developer’s account. Microsoft mentioned it additionally banned the developer, who claimed the problems are brought on by outdated Sanity.io dependency that “appears to be like compromised.” One other developer commented: “After being focused for a removing, the affordable, good religion motion that the developer ought to have taken could be to succeed in out to the VS Code crew, placing himself at their disposal to handle any points they’ve recognized. As a substitute, he created a number of completely different accounts to be able to submit the identical extensions in an try to bypass the restrictions, and implicated the VS Code devs in a conspiracy to personally censor him.”
• Over 49,000 Misconfigured Entry Administration Methods Flagged — New analysis has uncovered greater than 49,000 misconfigured entry administration programs (AMS) internationally, particularly in building, healthcare, training, manufacturing, oil, and authorities sectors. These misconfigurations expose private knowledge, worker pictures, biometric knowledge, work schedules, payslips, and different delicate data. They is also abused to entry buildings and compromise bodily safety. Italy, Mexico, and Vietnam have emerged as the highest international locations with essentially the most exposures. “These misconfigurations uncovered extremely delicate private data, together with worker pictures, full names, identification numbers, entry card particulars, biometric knowledge, registration code numbers, and in some circumstances, even full work schedules and facility entry histories,” Modat mentioned. “Significantly regarding was the invention of uncovered biometric templates and facial recognition knowledge in a number of trendy entry management programs, which may pose critical privateness dangers if accessed by malicious actors.”
• Telegram Stays the Prime Platform for Cybercriminals — Regardless of new commitments from Telegram, the messaging app continues to stay a hub for cybercriminal exercise. A number of the different platforms which might be gaining traction, in accordance with Flare.io, embody Discord, Sign, TOX, Session, and Aspect/Matrix. Whereas Discord invite hyperlinks had been primarily discovered on boards like Nulled, Cracked, VeryLeaks, and DemonForums, Matrix and Aspect protocol based mostly IDs had been primarily discovered on medication centered boards like RuTOR, RCclub, and BigBro. TOX and Jabber IDs had been predominantly shared on XSS, CrdPro, BreachForums, and Exploit boards. “Elevated cooperation between Telegram and legislation enforcement has prompted discussions about different platforms, with Sign exhibiting essentially the most vital progress,” the corporate mentioned. “Different messaging apps like Discord, TOX, Matrix, and Session play area of interest roles, typically tied to particular cybercriminal actions or communities. Many menace actors use a number of messaging apps to make sure accessibility and redundancy of their communications.”
• OpenSSF Releases Greatest Practices for Open-Supply Initiatives — The Open Supply Safety Basis (OpenSSF) launched the Open Supply Undertaking Safety Baseline (OSPS Baseline), a three-tiered set of necessities that goals to enhance the safety posture of open supply software program tasks. “The OSPS Baseline presents a tiered framework of safety practices that evolve with undertaking maturity. It compiles current steerage from OpenSSF and different professional teams, outlining duties, processes, artifacts, and configurations that improve software program improvement and consumption safety,” the OpenSSF mentioned. “By adhering to the Baseline, builders can lay a basis that helps compliance with world cybersecurity laws, such because the E.U. Cyber Resilience Act (CRA) and U.S. Nationwide Institute of Requirements and Know-how (NIST) Safe Software program Growth Framework (SSDF).” The event comes as Google issued calls for standardizing reminiscence security by “establishing a typical framework for specifying and objectively assessing reminiscence security assurances.”
• MITRE Releases OCCULT Framework — The MITRE Company has detailed a light-weight operational analysis framework known as OCCULT that enables cyber safety consultants to quantify the doable dangers related to a big language mannequin (LLM) utilized in offensive cyber operations. “The OCCULT goal is finally about understanding the cyber operation capability of an AI system, and quantifying efficiency in these dimensions of cyber reasoning can present perception into that,” MITRE mentioned.
• Michigan Man Indicted on Wire Fraud and Aggravated Identification Theft Fees — Andrew Shenkosky, a 29-year-old man from the U.S. state of Michigan, has been indicted on wire fraud and aggravated identification theft fees after buying 2,468 stolen login credentials from the darkish internet market Genesis Market and utilizing them to make fraudulent monetary transactions. Shenkosky can be alleged to have supplied a few of the stolen account knowledge on the market on different legal boards, together with the now-defunct Raid Boards. The scheme was devised and executed from roughly February 2020 to November 2020, the U.S. Justice Division mentioned.
• 16 Malicious Google Chrome Extensions Flagged — Cybersecurity researchers have uncovered a cluster of at the very least 16 malicious Chrome extensions that had been used to inject code into browsers to facilitate promoting and search engine marketing (web optimization) fraud. The browser add-ons, now faraway from the Chrome Internet Retailer, collectively impacted 3.2 million customers and masqueraded as display seize instruments, advert blockers, and emoji keyboards. In line with GitLab, it is suspected that the menace actors acquired entry to at the very least a few of the extensions from their unique builders to subsequently push out the trojanized variations. The exercise has been ongoing since at the very least July 2024.
• Gmail to Ditch SMS for Two-Issue Authentication — Google is planning to finish help for SMS-based two-factor authentication in Gmail in order to “scale back the influence of rampant, world SMS abuse.” In lieu of the SMS-based system, the corporate is anticipated to show a QR code that customers must scan in order to login to their accounts, Forbes reported.
• Particulars Emerge About NSA’s Alleged Hack of China’s Northwestern Polytechnical College — In 2022, China accused the U.S. Nationwide Safety Company (NSA) of conducting a string of cyber assaults aimed on the Northwestern Polytechnical College. It mentioned the assault focusing on the analysis college employed no fewer than 40 completely different cyber weapons which might be designed to siphon passwords, community tools configuration, community administration knowledge, and operation and upkeep knowledge. China has given the NSA the menace actor designation APT-C-40. In line with a brand new evaluation revealed by safety researcher Lina Lau (aka “inversecos”), the attribution to the company boils right down to a mixture of assault occasions (or lack thereof throughout Memorial Day and Independence Day holidays), hands-on keyboard exercise utilizing American English, human error, and the presence of instruments beforehand found in the course of the Shadow Brokers leak. The assault concerned using a zero-day vulnerability assault platform known as Fox Acid to automate the supply of browser-based exploits when visiting respectable web sites. A number of the different instruments deployed included ISLAND for exploiting Solaris programs; SECONDDATE, a framework put in on edge units to conduct community eavesdropping, MitM assaults, and code injection; NOPEN and FLAME SPRAY for distant entry to compromised programs; CUNNING HERETICS, a light-weight implant for covert entry to NSA communication channels; STOIC SURGEON, a backdoor focusing on Linux, Solaris, JunOS, and FreeBSD programs; DRINKING TEA for credential harvesting; TOAST BREAD, a log manipulation device that erased proof of unauthorized entry; and Shaver, a program to assault uncovered SunOS servers to be used as bounce servers. It is mentioned that NSA operatives stole categorized analysis knowledge, community infrastructure particulars, and delicate operational paperwork from the college.
• Apple Discover My Exploit Can Flip a Bluetooth System into an AirTag — A gaggle of teachers from George Mason College has detailed a brand new vulnerability in Apple’s Discover My community known as nRootTag that turns units into trackable “AirTags” with out requiring root privileges. “The assault achieves a hit price of over 90% inside minutes at a price of just a few U.S. {dollars}. Or, a rainbow desk may be constructed to look keys immediately,” the researchers mentioned. “Subsequently, it will probably find a pc in minutes, posing a considerable danger to consumer privateness and security. The assault is efficient on Linux, Home windows, and Android programs, and may be employed to trace desktops, laptops, smartphones, and IoT units.” Apple has launched patches in iOS 18.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2, and visionOS 2.2 to repair the vulnerability. That mentioned, the assault stays efficient so long as unpatched iPhones or Apple Watches are within the proximity of a goal machine working a malicious trojan, which is able to promoting Bluetooth Low Power (BLE) broadcasts which might be used to glean a tool’s location by querying Apple’s servers. In different phrases, just by putting in malware that may ship BLE commercials, the approach could make the machine it is working on trackable through Apple’s Discover My community.
• Swedish Authorities Search Backdoor Entry to Encrypted Messaging Apps — Sweden’s legislation enforcement and safety businesses are pushing for a laws that forces encrypted messaging providers like Sign and WhatsApp to create technical backdoors permitting them to entry communications. Sign Basis President Meredith Whittaker mentioned the corporate would slightly exit the market than complying with such a legislation, Swedish information outlet SVT Nyheter reported final week. The event follows Apple’s disabling of iCloud’s Superior Knowledge Safety (ADP) function for customers within the U.Ok. final week in response to reviews that the Residence Workplace had requested for the power to entry encrypted contents within the cloud. Tulsi Gabbard, the director of U.S. Nationwide Intelligence, mentioned she was not knowledgeable upfront concerning the U.Ok. authorities’s demand to have the ability to entry Apple prospects’ encrypted knowledge. U.S. officers are mentioned to be taking a look at whether or not the U.Ok. violated a bilateral settlement by demanding Apple create a “backdoor” to entry end-to-end encrypted iCloud knowledge, in accordance to Reuters. It additionally comes as considerations are being raised over a proposed modification to the Narcotrafic legislation in France that seeks to backdoor encrypted messaging programs and hand over chat messages of suspected criminals inside 72 hours of a legislation enforcement request. “A backdoor for the great guys solely is a harmful phantasm,” Matthias Pfau, CEO of Tuta Mail, mentioned in an announcement shared with The Hacker Information. “Weakening encryption for legislation enforcement inevitably creates vulnerabilities that may – and can – be exploited by cybercriminals and hostile international actors. This legislation wouldn’t simply goal criminals, it will destroy safety for everybody.”
• Cybercriminal Behind Extra Than 90 Knowledge Leaks Arrested — A joint operation of the Royal Thai Police and the Singapore Police Power has led to the arrest of a person liable for greater than 90 situations of information leaks worldwide, together with 65 within the Asia-Pacific (APAC) area alone. The leaks resulted within the sale of over 13TB of non-public knowledge on the darkish internet, per Singaporean firm Group-IB. The person operated beneath numerous aliases ALTDOS, DESORDEN, GHOSTR, and 0mid16B. The identification of the suspect has not been disclosed, however Thai media reported that he goes by the identify Chingwei. “The principle purpose of his assaults was to exfiltrate the compromised databases containing private knowledge and to demand cost for not disclosing it to the general public,” Group-IB mentioned. “If the sufferer refused to pay, he didn’t announce the leaks on darkish internet boards. As a substitute he notified the media or private knowledge safety regulators, with the intention of inflicting higher reputational and monetary injury on his victims.” In choose situations, the menace actor additionally encrypted the sufferer’s databases as a way of exerting extra stress. The assaults leveraged SQL injection instruments like sqlmap and exploited weak Distant Desktop Protocol (RDP) servers to realize unauthorized entry, adopted by deploying a cracked model of an adversary simulation device named Cobalt Strike for controlling compromised servers and exfiltrating knowledge. Targets of the person’s assaults spanned industries similar to healthcare, retail, property funding, finance, e-commerce, logistics, know-how, hospitality, insurance coverage, and recruitment.

Knowledgeable Webinar

• Webinar 1: Uncover How ASPM Bridges Vital Gaps in AppSec Earlier than It is Too Late — Be a part of our free webinar to find out how ASPM is altering app safety. Amir Kaushansky from Palo Alto Networks will present you ways ASPM unites your safety instruments and makes managing dangers simpler. Hear actual success tales from a whole lot of customers and get clear, sensible recommendation to guard your apps.
• Webinar 2: Rework Your Code Safety with One Sensible Engine — Be a part of this subsequent webinar to learn to cease identity-based assaults like phishing and MFA bypass. Uncover a safe entry answer trusted by over 500 customers. With restricted spots, do not miss your likelihood to guard your identification. Enroll now!

P.S. Know somebody who may use these? Share it.

Cybersecurity Instruments

• MEDUSA — It’s a highly effective, FRIDA-powered device designed for dynamic evaluation of Android and iOS apps. It automates duties similar to bypassing SSL pinning, tracing perform calls, and modifying app conduct in actual time—all in a easy and environment friendly method. This makes it the right answer for uncovering vulnerabilities and strengthening cell safety.
• Galah — It’s an AI-driven internet honeypot designed to lure and research cyber attackers. It mimics completely different internet functions by producing sensible, life like responses to any HTTP request, making it tougher for hackers to inform what’s actual. Initially constructed as a enjoyable undertaking to discover the ability of enormous language fashions, Galah presents a easy approach to see how trendy AI can be utilized in cybersecurity.

Tip of the Week

The Hidden Risks of Copy-Paste: Tips on how to Safe Your Clipboard from Cyber Threats — Clipboard safety is usually missed, but it is a prime goal for attackers. Malware can hijack your clipboard to steal delicate knowledge, swap cryptocurrency addresses, or execute malicious instructions with out your data. Instruments like Edit Clipboard Contents Instrument mean you can examine and modify clipboard knowledge at a uncooked stage, offering visibility into potential threats. Sysinternals Course of Monitor (ProcMon) can detect suspicious entry to the clipboard, serving to you catch rogue processes. Extra instruments like InsideClipboard and Clipboardic log clipboard historical past and present all codecs, revealing hidden malicious content material that would in any other case go unnoticed.

To guard towards clipboard-based assaults, use clipboard-clearing practices after copying delicate knowledge, and keep away from pasting from untrusted sources. Builders ought to implement auto-clearing of clipboard knowledge and sanitize pasted enter to forestall exploits. Cybersecurity professionals can monitor clipboard entry through Sysmon or DLP programs to alert on suspicious conduct. By incorporating these instruments and habits, you’ll be able to higher defend towards clipboard hijacking and guarantee delicate data stays safe.

Conclusion

As we shut this week’s replace, do not forget that staying knowledgeable is step one to defending your self on-line. Each incident—from focused exploits to AI misuse—reveals that cyber threats are actual and continually altering.

Thanks for studying. Keep alert, replace your programs, and use these insights to make smarter decisions in your digital life. Keep secure till subsequent week.