Welcome to this week’s Cybersecurity Information Recap. Uncover how cyber attackers are utilizing intelligent methods like pretend codes and sneaky emails to achieve entry to delicate knowledge. We cowl all the pieces from machine code phishing to cloud exploits, breaking down the technical particulars into easy, easy-to-follow insights.
⚡ Menace of the Week
Russian Menace Actors Leverage Machine Code Phishing to Hack Microsoft Accounts — Microsoft and Volexity have revealed that menace actors with ties to Russia are leveraging a way generally known as machine code phishing to achieve unauthorized entry to sufferer accounts, and use that entry to pay money for delicate knowledge and allow persistent entry to the sufferer setting. A minimum of three completely different Russia-linked clusters have been recognized abusing the approach thus far. The assaults entail sending phishing emails that masquerade as Microsoft Groups assembly invites, which, when clicked, urge the message recipients to authenticate utilizing a menace actor-generated machine code, thereby permitting the adversary to hijack the authenticated session utilizing the legitimate entry token.
🔔 Prime Information
- whoAMI Assault Exploits AWS AMI Title Confusion for Distant Code Execution — A brand new kind of identify confusion assault referred to as whoAMI permits anybody who publishes an Amazon Machine Picture (AMI) with a particular identify to achieve code execution inside the Amazon Internet Providers (AWS) account. Datadog, which detailed the assault, mentioned roughly 1% of organizations monitored by the corporate had been affected by the whoAMI, and that it discovered public examples of code written in Python, Go, Java, Terraform, Pulumi, and Bash shell utilizing the susceptible standards. AWS advised The Hacker Information that there isn’t any proof of malicious exploitation of the safety weak point.
- RansomHub Targets Over 600 Orgs Globally — The RansomHub ransomware operation has focused over 600 organizations the world over, spanning sectors corresponding to healthcare, finance, authorities, and demanding infrastructure, making it probably the most energetic cybercrime teams in 2024. One such assault has been discovered to weaponize now-patched safety flaws in Microsoft Lively Listing and the Netlogon protocol to escalate privileges and acquire unauthorized entry to a sufferer community’s area controller as a part of their post-compromise technique.
- REF7707 Makes use of Outlook Drafts for Command-and-Management — A beforehand undocumented menace exercise cluster dubbed REF7707 has been noticed utilizing a distant administration device named FINALDRAFT that parses instructions saved within the mailbox’s drafts folder and writes the outcomes of the execution into new draft emails for every command. It makes use of the Outlook electronic mail service by way of the Microsoft Graph API for command-and-control (C2) functions. The group has been noticed concentrating on the overseas ministry of an unnamed South American nation, in addition to a telecommunications entity and a college, each situated in Southeast Asia.
- Kimsuky Embraces ClickFix-Model Assault Technique — The North Korean menace actor generally known as Kimsuky (aka Black Banshee) is utilizing a brand new tactic that entails deceiving targets into operating PowerShell as an administrator after which instructing them to stick and run malicious code offered by them. “To execute this tactic, the menace actor masquerades as a South Korean authorities official and over time builds rapport with a goal earlier than sending a spear-phishing electronic mail with an [sic] PDF attachment,” Microsoft mentioned. Customers are then satisfied to click on on a URL, urging them to register their machine with the intention to learn the PDF attachment. The top objective of the assault is to ascertain a knowledge communication mechanism that permits the adversary to exfiltrate knowledge.
- Regulation Enforcement Op Takes Down 8Base — A consortium of legislation enforcement companies has arrested 4 Russian nationals and seized over 100 servers linked to the 8Base ransomware gang. The arrests had been made in Thailand. Two of the suspects are accused of working a cybercrime group that used Phobos ransomware to victimize greater than 1,000 private and non-private entities within the nation and the world over. The event comes within the aftermath of a collection of high-profile ransomware disruptions related to Hive, LockBit, and BlackCat lately. Late final yr, Evgenii Ptitsyn, a 42-year-old Russian nationwide believed to be the administrator of the Phobos ransomware, was extradited to the U.S.
️🔥 Trending CVEs
Your go-to software program may very well be hiding harmful safety flaws—do not wait till it is too late! Replace now and keep forward of the threats earlier than they catch you off guard.
This week’s record contains — CVE-2025-1094 (PostgreSQL), CVE-2025-0108 (Palo Alto Networks PAN-OS), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-21391 (Microsoft Home windows Storage), CVE-2025-21418 (Microsoft Home windows Ancillary Perform Driver for WinSock), CVE-2024-38657, CVE-2025-22467, CVE-2024-10644 (Ivanti Join Safe), CVE-2024-47908 (Ivanti Cloud Providers Software), CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, CVE-2024-56135 (Progress Kemp LoadMaster), CVE-2025-24200 (Apple iOS and iPadOS), CVE-2024-12797 (OpenSSL), CVE-2025-21298 (Microsoft Home windows OLE), CVE-2025-1240 (WinZip), CVE-2024-32838 (Apache Fineract), CVE-2024-52577 (Apache Ignite), CVE-2025-26793 (Hirsch Enterphone MESH), CVE-2024-12562 (s2Member Professional plugin), CVE-2024-13513 (Oliver POS – A WooCommerce Level of Sale (POS) plugin), CVE-2025-26506 (HP LaserJet), CVE-2025-22896, CVE-2025-25067, CVE-2025-24865 (mySCADA myPRO Supervisor), CVE-2024-13182 (WP Directorybox Supervisor plugin), CVE-2024-10763 (Campress theme), CVE-2024-7102 (GitLab CE/EE), CVE-2024-12213 (WP Job Board Professional plugin), CVE-2024-13365 (Safety & Malware scan by CleanTalk plugin), CVE-2024-13421 (Actual Property 7 theme), and CVE-2025-1126 (Lexmark Print Administration Shopper).
📰 Across the Cyber World
- Former Google Engineer Charged with Plan to Steal Commerce Secrets and techniques — Linwei Ding, a former Google engineer who was arrested final March for transferring “delicate Google commerce secrets and techniques and different confidential data from Google’s community to his private account,” has now been charged with seven counts of financial espionage and 7 counts of theft of commerce secrets and techniques associated to the corporate’s AI expertise between 2022 and 2023. This included detailed details about the structure and performance of Google’s Tensor Processing Unit (TPU) chips and techniques and Graphics Processing Unit (GPU) techniques, the software program that permits the chips to speak and execute duties, and the software program that orchestrates 1000’s of chips right into a supercomputer able to coaching and executing cutting-edge AI workloads. The commerce secrets and techniques additionally relate to Google’s custom-designed SmartNIC, a sort of community interface card used to reinforce Google’s GPU, excessive efficiency, and cloud networking merchandise. “Ding meant to profit the PRC authorities by stealing commerce secrets and techniques from Google,” the U.S. Division of Justice mentioned. “Ding allegedly stole expertise regarding the {hardware} infrastructure and software program platform that permits Google’s supercomputing knowledge heart to coach and serve massive AI fashions.” The superseding indictment additionally said that Chinese language-sponsored expertise packages incentivize people engaged in analysis and improvement exterior the nation to transmit such data in change for salaries, analysis funds, lab house, or different incentives. If convicted, Ding faces a most penalty of 10 years in jail and as much as a $250,000 advantageous for every trade-secret depend and 15 years in jail and a $5,000,000 advantageous for every financial espionage depend.
- Home windows UI Flaw Exploited by Mustang Panda — Israeli cybersecurity firm ClearSky has warned {that a} suspected Chinese language nation-state group generally known as Mustang Panda is actively exploiting a UI vulnerability in Microsoft Home windows. “When information are extracted from compressed ‘RAR’ information they’re hidden from the consumer,” the corporate mentioned. “If the compressed information are extracted right into a folder, the folder seems empty within the Home windows Explorer GUI. When utilizing the ‘dir’ command to record all information and folders contained in the goal folder, the extracted information and folders are ‘invisible/hidden’ to the consumer. Menace actors or customers can even execute these compressed information from a command line immediate, in the event that they know the precise path. On account of executing ‘attrib -s -h’ to system protected information, an unknown file kind is created from the sort ‘Unknown’ ActiveX part.” It is at present not clear who’re the targets of the assault, and what the top objectives of the marketing campaign are.
- Meta Paid Over $2.3M in Bug Bounty Rewards in 2024 — Meta mentioned it paid out greater than $2.3 million in rewards to just about 200 safety researchers as a part of its bug bounty program in 2024. In whole, the corporate has handed out greater than $20 million because the creation of this system in 2011. The highest three nations primarily based on bounties awarded in 2024 are India, Nepal, and the USA.
- Vital ThinkPHP and OwnCloud Flaws Below Lively Exploitation — Menace actors are trying to actively exploit two recognized safety vulnerabilities impacting ThinkPHP (CVE-2022-47945, CVSS rating: 9.8) and OwnCloud (CVE-2023-49103, CVSS rating: 10.0) over the previous few days, with assaults originating from tons of of distinctive IP addresses, most of that are primarily based in Germany, China, the U.S., Singapore, Hong Kong, the Netherlands, the U.Ok., and Canada. Organizations are advisable to use the required patches (ThinkPHP to six.0.14+ and ownCloud GraphAPI to 0.3.1+) and limit entry to scale back the assault floor.
- FSB Mole Arrested in Ukraine — The Secret Service of Ukraine (SSU) mentioned it had detained one in every of its personal high-level officers, accusing them of appearing as a mole for Russia. The person, one of many officers of the SSU Counterterrorism Middle, is alleged to have been recruited by Russia’s Federal Safety Service (FSB) in Vienna in 2018, and actively started participating in espionage on the finish of December final yr, transmitting paperwork containing state secrets and techniques, to the intelligence company by way of a “particular cell phone.” The SSU, upon studying of the person’s actions, mentioned it “used him in a counterintelligence ‘sport’: by means of the traitor the SSU fed the enemy a considerable amount of disinformation.” The person’s identify was not disclosed, however the Kyiv Impartial mentioned it is Colonel Dmytro Kozyura, citing unnamed SSU sources.
- LLMjacking Hits DeepSeek — Malicious actors have been noticed capitalizing on the recognition of AI chatbot platform DeepSeek to conduct what’s referred to as LLMjacking assaults that contain promoting the entry obtained to professional cloud environments to different actors for a value. These assaults contain using stolen credentials to permit entry to machine studying companies by way of the OpenAI Reverse Proxy (ORP), which acts as a reverse proxy server for LLMs of assorted suppliers. The ORP operators cover their IP addresses utilizing TryCloudflare tunnels. In the end, the illicit LLM entry is used to generate NSFW content material, and malicious scripts, and even circumvent bans on ChatGPT in nations like China and Russia, the place the service is blocked. “Cloud-based LLM utilization prices will be staggering, surpassing a number of tons of of 1000’s of {dollars} month-to-month,” Sysdig mentioned. “The excessive price of LLMs is the rationale cybercriminals select to steal credentials fairly than pay for LLM companies. Resulting from steep prices, a black marketplace for entry has developed round OAI Reverse Proxies — and underground service suppliers have risen to satisfy the wants of shoppers.”
- Romance Baiting Scams Leap 40% YoY — Pig butchering scams, additionally referred to as romance baiting, have accounted for 33.2% of the estimated $9.9 billion income earned by cybercriminals in 2024 from cryptocurrency scams, rising practically 40% year-over-year. Nevertheless, the common deposit quantity to pig butchering scams declined 55% YoY, seemingly indicating a shift in how these scams are carried out. “Pig butchering scammers have additionally developed to diversify their enterprise mannequin past the ‘lengthy con’ of pig butchering scams — which might take months and even years of growing a relationship earlier than receiving sufferer funds — to faster turnaround employment or work-from-home scams that sometimes yield smaller sufferer deposits,” Chainalysis mentioned. Additional evaluation of on-chain exercise has discovered that HuiOne Assure is closely used for illicit crypto-based actions supporting the pig butchering business in Southeast Asia. Scammers have additionally been noticed utilizing generative AI expertise to facilitate crypto scams, typically to impersonate others or generate reasonable content material.
- Safety Points in RedNote Flagged — It isn’t simply DeepSeek. A brand new community safety evaluation undertaken by the Citizen Lab has uncovered a number of points in RedNote’s (aka Xiaohongshu) Android and iOS apps. This contains fetching considered pictures and movies over HTTP, transmitting insufficiently encrypted machine metadata, in addition to a vulnerability that allows community attackers to be taught the contents of any information that RedNote has permission to learn on the customers’ gadgets. Whereas the second vulnerability was launched by an upstream analytics SDK, MobTech, the third challenge was launched by NEXTDATA. As of writing, all the issues stay unpatched. The vulnerabilities “might allow surveillance by any authorities or ISP, and never simply the Chinese language authorities,” the Citizen Lab mentioned.
- CISA Urges Orgs to Tackle Buffer Overflows — The U.S. Cybersecurity and Infrastructure Safety Company (CISA) and Federal Bureau of Investigation (FBI) have launched a Safe by Design Alert, urging organizations to eradicate buffer overflow vulnerabilities in software program. “These vulnerabilities can result in knowledge corruption, delicate knowledge publicity, program crashes, and unauthorized code execution,” the companies mentioned, labeling them as unforgivable defects. “Menace actors steadily exploit these vulnerabilities to achieve preliminary entry to a corporation’s community after which transfer laterally to the broader community.” Saeed Abbasi, supervisor of vulnerability analysis at Qualys Menace Analysis Unit (TRU), emphasised the necessity to swap from reminiscence unsafe languages. “Legacy excuses are out; the world has zero tolerance for memory-unsafe code in 2025,” Abbasi mentioned. “Sure, rewriting previous techniques is daunting, however letting attackers exploit decades-old buffer overflows is worse. Organizations nonetheless clinging to unsafe languages threat turning minor vulnerabilities into huge breaches—and so they cannot declare shock. We have had confirmed fixes for ages: phased transitions to Rust or different memory-safe choices, compiler-level safeguards, thorough adversarial testing, and public commitments to a secure-by-design roadmap. The actual problem is collective will: management should demand memory-safe transitions, and software program patrons should maintain distributors accountable.”
- Overseas Adversaries Goal Native Communities within the U.S. for Affect Ops — A brand new report from the Alliance for Securing Democracy (ASD) has discovered that overseas nation-state actors from Russia, China, and Iran are operating affect operations that exploit belief in native sources and affect state and native communities within the U.S. with an intention to control public opinion, stoke discord, and undermine democratic establishments. “In some circumstances, adversarial nations search favorable outcomes round native coverage points; in others, they use native debates as Trojan horses to advance their broader geopolitical agendas,” the analysis mentioned. Russia emerged as essentially the most energetic menace actor, with 26 documented circumstances designed to polarize People by means of themes associated to immigration and election integrity. Beijing, then again, sought to domesticate help for Chinese language state pursuits.
- Monetary Orgs Requested to Change to Quantum-Secure Cryptography — Europol is urging monetary establishments and policymakers to transition to quantum-safe cryptography, citing an “imminent” menace to cryptographic safety as a result of fast development of quantum computing. The first threat is that menace actors might steal encrypted knowledge right this moment with the intention of decrypting it sooner or later utilizing quantum computing, a way referred to as “harvest now, decrypt later” or retrospective decryption. “A sufficiently superior quantum laptop has the potential to interrupt broadly used public-key cryptographic algorithms, endangering the confidentiality of economic transactions, authentication processes, and digital contracts,” the company mentioned. “Whereas estimates recommend that quantum computer systems able to such threats might emerge inside the subsequent 10 to fifteen years, the time required to transition away from susceptible cryptographic strategies is critical. A profitable transition to post-quantum cryptography requires collaboration amongst monetary establishments, expertise suppliers, policymakers, and regulators.” Final yr, the U.S. Nationwide Institute of Requirements and Expertise (NIST) formally introduced the primary three “quantum-safe” algorithms.
- Google Addresses Excessive Influence Flaws — Google has addressed a pair of safety flaws that may very well be chained by malicious actors to unmask the e-mail deal with of any YouTube channel proprietor’s electronic mail deal with. The primary of the 2 is a vulnerability recognized in a YouTube API that might leak a consumer’s GAIA ID, a novel identifier utilized by Google to handle accounts throughout its community of web sites. This ID might then be fed as enter to an outdated net API related to Pixel Recorder to transform it into an electronic mail when sharing a recording. Following accountable disclosure on September 24, 2024, the problems had been resolved as of February 9, 2025. There is no such thing as a proof that these shortcomings had been ever abused within the wild.
- New DoJ Actions Goal Crypto Fraud — Eric Council Jr., 25, of Alabama, has pleaded responsible to costs associated to the January 2024 hacking of the U.S. Securities and Alternate Fee’s (SEC) X account. The account was taken over to falsely announce that the SEC authorised BTC Alternate Traded Funds, inflicting a spike within the value of bitcoin. The assault was carried out by means of an unauthorized Subscriber Identification Module (SIM) swap carried out by the defendant, tricking a cell phone supplier retailer to reassign the sufferer’s telephone quantity to a SIM card of their possession utilizing a fraudulent id card printed utilizing an ID card printer. Council, who was arrested in December 2024, pleaded responsible to conspiracy to commit aggravated id theft and entry machine fraud. If convicted, he faces a most penalty of 5 years in jail. In a associated improvement, a 22-year-old man from Indiana, Evan Frederick Gentle, was sentenced to twenty years in federal jail for operating a large cryptocurrency theft scheme from his mom’s basement. Gentle broke into an funding holdings firm in South Dakota in February 2022, stealing prospects’ private knowledge and cryptocurrency value over $37 million from practically 600 victims. The stolen cryptocurrency was then funneled to varied areas all through the world, together with a number of mixing companies and playing web sites to hide his id and to cover the digital foreign money. Individually, the Justice Division has additionally charged Canadian nationwide Andean Medjedovic, 22, for exploiting sensible contract vulnerabilities in two decentralized finance crypto platforms, KyberSwap and Listed Finance, to fraudulently acquire about $65 million from the protocols’ buyers between 2021 and 2023. A grasp’s diploma holder in arithmetic from the College of Waterloo, Medjedovic can be alleged to have laundered the proceeds by means of mixers and bridge transactions in an try to hide the supply and possession of the funds. Medjedovic is charged with one depend of wire fraud, one depend of unauthorized harm to a protected laptop, one depend of tried Hobbs Act extortion, one depend of cash laundering conspiracy, and one depend of cash laundering. He faces over 30 years in jail.
- U.S. Lawmakers Warn In opposition to U.Ok. Order for Backdoor to Apple Information — After experiences emerged that safety officers within the U.Ok. have ordered Apple to create a backdoor to entry any Apple consumer’s iCloud content material, U.S. Senator Ron Wyden and Member of Congress Andy Biggs have despatched a letter to Tulsi Gabbard, the Director of Nationwide Intelligence, urging the U.Ok. to retract its order, citing it threatens the “privateness and safety of each the American folks and the U.S. authorities. “If the U.Ok. doesn’t instantly reverse this harmful effort, we urge you to reevaluate U.S.-U.Ok. cybersecurity preparations and packages in addition to U.S. intelligence sharing with the U.Ok.,” they added. The purported Apple backdoor request would reportedly permit authorities to entry knowledge at present secured by Superior Information Safety, probably affecting customers worldwide. Wyden has additionally launched a draft model of the World Belief in American On-line Providers Act that seeks to “safe People’ communications towards abusive overseas calls for to weaken the safety of communications companies and software program utilized by People.” Whereas the safety specialists have criticized the order, British officers have neither confirmed nor denied it.
🎥 Cybersecurity Webinars
- Webinar 1: From Code to Runtime: Rework Your App Safety — Be part of our webinar with Amir Kaushansky from Palo Alto Networks and see how ASPM can change your app safety. Discover ways to join code particulars with reside knowledge to repair gaps earlier than they turn out to be dangers. Uncover sensible, proactive methods to guard your purposes in real-time.
- Webinar 2: From Debt to Protection: Repair Identification Gaps Quick — Be part of our free webinar with specialists Karl Henrik Smith and Adam Boucher as they present you how you can spot and shut id gaps with Okta’s Safe Identification Evaluation. Study easy steps to streamline your safety course of, concentrate on key fixes, and construct a stronger protection towards threats.
P.S. Know somebody who might use these? Share it.
🔧 Cybersecurity Instruments
- WPProbe — It is a quick WordPress plugin scanner that makes use of REST API enumeration to stealthily detect put in plugins with out brute drive, scanning by querying uncovered endpoints and matching them towards a precompiled database of over 900 plugins. It even maps detected plugins to recognized vulnerabilities (CVE) and outputs leads to CSV or JSON format, making your scans each speedy and fewer prone to set off safety defenses.
- BruteShark — It is a highly effective and user-friendly Community Forensic Evaluation Device constructed for safety researchers and community directors. It digs deep into PCAP information or reside community captures to extract passwords, rebuild TCP periods, map your community visually, and even convert password hashes for offline brute drive testing with Hashcat. Out there as a Home windows GUI or a flexible CLI for Home windows and Linux.
🔒 Tip of the Week
Phase Your Wi-Fi Community for Higher Safety — In right this moment’s sensible dwelling, you seemingly have many linked gadgets—from laptops and smartphones to sensible TVs and numerous IoT devices. When all these gadgets share the identical Wi‑Fi community, a breach in a single machine might probably put your complete community in danger. Dwelling community segmentation helps shield you by dividing your community into separate components, just like how massive companies isolate delicate data.
To set this up, use your router’s visitor community or VLAN options to create completely different SSIDs, corresponding to “Home_Private” for private gadgets and “Home_IoT” for sensible devices. Guarantee every community makes use of sturdy encryption (WPA3 or WPA2) with distinctive passwords, and configure your router so gadgets on one community can’t talk with these on one other. Take a look at your setup by connecting your gadgets accordingly and verifying that cross-network visitors is blocked, then periodically verify your router’s dashboard to maintain the configuration working easily.
Conclusion
That wraps up this week’s cybersecurity information. We have coated a broad vary of tales—from the case of a former Google engineer charged with stealing key AI secrets and techniques to hackers profiting from a Home windows consumer interface flaw. We have additionally seen how cybercriminals are transferring into new areas like AI misuse and cryptocurrency scams, whereas legislation enforcement and business specialists work onerous to catch up.
These headlines remind us that cyber threats are available in many varieties, and on daily basis, new dangers emerge that may have an effect on everybody from massive organizations to particular person customers. Control these developments and take steps to guard your digital life. Thanks for becoming a member of us, and we look ahead to preserving you knowledgeable subsequent week.