Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists

Mar 03, 2025Ravie Lakshmanan

This week, a 23-year-old Serbian activist discovered themselves on the crossroads of digital hazard when a sneaky zero-day exploit turned their Android machine right into a goal. In the meantime, Microsoft pulled again the curtain on a scheme the place cybercriminals used AI instruments for dangerous pranks, and a large trove of reside secrets and techniques was found, reminding us that even the instruments we depend on can conceal dangerous surprises.

We have sifted by a storm of cyber threats—from phishing scams to malware assaults—and damaged down what it means for you in clear, on a regular basis language. Get able to dive into the main points, perceive the dangers, and discover ways to shield your self in an more and more unpredictable on-line world.

Risk of the Week

Serbian Youth Activist Focused by Android 0-Day Exploit Chain — A 23-year-old Serbian youth activist had their Android telephone targeted by a zero-day exploit chain developed by Cellebrite to unlock the machine and certain deploy an Android spy ware known as NoviSpy. The issues mixed CVE-2024-53104 with CVE-2024-53197 and CVE-2024-50302 to escalate privileges and obtain code execution. The vulnerabilities, initially current inside the Linux kernel, have been addressed in December 2024. CVE-2024-53104 has since been addressed in Android as of early February 2025. In response to the event, Cellebrite mentioned it can not enable Serbia to make use of its software program, stating “we discovered it applicable to cease using our merchandise by the related clients at the moment.”

High Information

• Microsoft Unmasks Individuals Behind LLMjacking Scheme — Microsoft revealed the identities of 4 people who it mentioned have been behind an Azure Abuse Enterprise scheme that entails leveraging unauthorized entry to generative synthetic intelligence (GenAI) companies with a view to produce offensive and dangerous content material. The marketing campaign, additionally known as LLMjacking, has focused numerous AI service suppliers, with the menace actors promoting the entry to different prison actors to facilitate the illicit era of non-consensual intimate pictures of celebrities and different sexually specific content material in violation of its insurance policies.
• Widespread Crawl Dataset Incorporates Almost 12,000 Stay Secrets and techniques — An evaluation of a December 2024 archive from Widespread Crawl has uncovered practically 12,000 reside secrets and techniques, as soon as once more highlighting how hard-coded credentials pose a extreme safety danger to customers and organizations alike. Moreover, additionally they have the unintended facet impact of exacerbating an issue the place massive language fashions (LLMs) find yourself suggesting insecure coding practices to their customers because of the presence of hard-coded credentials in coaching knowledge.
• Silver Fox APT Makes use of Winos 4.0 to Goal Taiwanese Orgs — Taiwanese corporations have been targeted through phishing emails that masquerade because the nation’s Nationwide Taxation Bureau with an intention to ship the Winos 4.0 (aka ValleyRAT) malware. Winos, derived from Gh0st RAT, is a modular malware framework that acts each as a distant entry trojan and a command-and-control (C2) framework. The malware has additionally been propagated through trojanized installers for Philips DICOM viewers. A majority of those artifacts have been detected in america and Canada, indicating a attainable growth of the Silver Fox APT’s concentrating on to new areas and sectors.
• Australia Bans Kaspersky Merchandise from Authorities Networks — Australia has develop into the newest nation to ban the installation of security software from Russian firm Kaspersky, citing “unacceptable safety danger to Australian Authorities, networks and knowledge.” Underneath the brand new directive, authorities entities are prohibited from putting in Kaspersky’s merchandise and net companies on authorities programs and units efficient April 1, 2025. They’ve additionally been beneficial to take away all current situations by the cutoff date.
• Bybit Hack Formally Attributed to Lazarus Group — The North Korea-linked Lazarus Group has been implicated within the record-breaking hack of crypto change Bybit that led to the theft of $1.5 billion in digital belongings. The assault has been attributed to a menace cluster dubbed TraderTraitor, which was beforehand behind the theft of cryptocurrency value $308 million from cryptocurrency firm DMM Bitcoin in Could 2024. Additional investigation has discovered that the hack was carried out by compromising one of many developer’s machines related to multisig pockets platform Secure{Pockets} which affected an account operated by Bybit. “The Bybit assault mirrors North Korea’s established techniques of concentrating on centralized crypto exchanges by strategies reminiscent of phishing, provide chain compromises, and personal key theft-strategies,” TRM Labs said. An infrastructure evaluation has additionally discovered that the menace actors registered a pretend area named bybit-assessment[.]com just a few hours earlier than the theft happened. Silent Push, which found the area, instructed The Hacker Information it discovered no data to tie the bogus area to the precise hack itself. It is believed that the area could have been arrange as a part of one other associated marketing campaign codenamed Contagious Interview. The corporate additionally famous that the menace actors behind the Contagious Interview marketing campaign are actively concentrating on numerous cryptocurrency corporations reminiscent of Stripe, Coinbase, Binance, Block, Ripple, Robinhood, Tether, Circle, Kraken, Gemini, Polygon, Chainalysis, KuCoin, eToro, Bitstamp, Bitfinex, Gate.io, Pantera Capital, Galaxy, Bitwise Asset Administration, Bitwise Investments, BingX, Gauntlet, XY Labs, YouHodler, MatChain, Bemo, Barrowwise, Bondex, Halliday, Holidu, Hyphen Join, and Windranger. “Anybody making use of for a job at one in all these corporations needs to be looking out for suspicious job affords or suspicious interview techniques,” the corporate added.

‎️‍ Trending CVEs

Your go-to software program could possibly be hiding harmful safety flaws—do not wait till it is too late! Replace now and keep forward of the threats earlier than they catch you off guard.

This week’s listing consists of — CVE-2025-27364 (MITRE Caldera), CVE-2025-24752 (Important Addons for Elementor plugin), CVE-2025-27090 (Sliver), CVE-2024-34331 and its bypass (Parallels Desktop), CVE-2025-0690 (GRUB2), CVE-2024-12084, CVE-2024-12085,CVE-2024-12086, CVE-2024-12087, CVE-2024-12088 (RSync), CVE-2025-0475, CVE-2025-0555 (GitLab), CVE-2025-20111 (Cisco Nexus 3000 and 9000 Collection Switches), CVE-2025-23363 (Siemens Teamcenter), CVE-2025-0514 (CVE-2025-0514), CVE-2025-1564 (SetSail Membership plugin), CVE-2025-1671 (Academist Membership plugin), CVE-2025-1638 (Alloggio Membership plugin), CVE-2024-12824 (Nokri – Job Board WordPress Theme theme), CVE-2024-9193 (WHMpress – WHMCS WordPress Integration Plugin plugin), CVE-2024-8420 (DHVC Kind plugin), CVE-2024-8425 (WooCommerce Final Present Card plugin), CVE-2025-25570 (Vue Vben Admin), CVE-2025-26943 (Jürgen Müller Simple Quotes plugin), and CVE-2025-1128 (Everest Types – Contact Types, Quiz, Survey, Publication & Cost Kind Builder for WordPress plugin).

Across the Cyber World

• Qualcomm and Google Announce Safety Partnership — Chipmaker Qualcomm announced a partnership with Google with an intention to allow machine producers to offer as much as eight years of software program and safety updates. “Beginning with Android smartphones working on the Snapdragon 8 Elite Cellular Platform, Qualcomm Applied sciences now affords machine producers the flexibility to offer help for as much as eight consecutive years of Android software program and safety updates,” the corporate mentioned. “Smartphones launching on new Snapdragon 8 and 7-series cell platforms will even be eligible to obtain this prolonged help.” The eight-year pledge, nonetheless, solely applies to units utilizing Arm-compatible Snapdragon 8 Elite chips and working Android 15, in addition to future iterations of the Snapdragon 8 and 7-series.
• Microsoft Removes 2 Malicious VSCode Extensions — Microsoft has taken down two common VSCode extensions, ‘Materials Theme – Free’ and ‘Materials Theme Icons – Free,’ from the Visible Studio Market for allegedly containing malicious code. The 2 extensions have been downloaded practically 9 million instances cumulatively. It is believed that the malicious code was launched in an replace to the extensions, indicating both a provide chain assault or a compromise of the developer’s account. Microsoft mentioned it additionally banned the developer, who claimed the problems are brought on by outdated Sanity.io dependency that “seems compromised.” One other developer commented: “After being focused for a elimination, the cheap, good religion motion that the developer ought to have taken can be to succeed in out to the VS Code workforce, placing himself at their disposal to deal with any points they’ve recognized. As an alternative, he created a number of completely different accounts with a view to submit the identical extensions in an try to bypass the restrictions, and implicated the VS Code devs in a conspiracy to personally censor him.”
• Over 49,000 Misconfigured Entry Administration Programs Flagged — New analysis has uncovered greater than 49,000 misconfigured entry administration programs (AMS) the world over, particularly in building, healthcare, training, manufacturing, oil, and authorities sectors. These misconfigurations expose private knowledge, worker pictures, biometric knowledge, work schedules, payslips, and different delicate data. They is also abused to entry buildings and compromise bodily safety. Italy, Mexico, and Vietnam have emerged as the highest international locations with essentially the most exposures. “These misconfigurations uncovered extremely delicate private data, together with worker pictures, full names, identification numbers, entry card particulars, biometric knowledge, license plate numbers, and in some instances, even full work schedules and facility entry histories,” Modat said. “Notably regarding was the invention of uncovered biometric templates and facial recognition knowledge in a number of fashionable entry management programs, which might pose critical privateness dangers if accessed by malicious actors.”
• Telegram Stays the High Platform for Cybercriminals — Regardless of new commitments from Telegram, the messaging app continues to stay a hub for cybercriminal exercise. Among the different platforms which can be gaining traction, in line with Flare.io, embrace Discord, Sign, TOX, Session, and Component/Matrix. Whereas Discord invite hyperlinks have been primarily discovered on boards like Nulled, Cracked, VeryLeaks, and DemonForums, Matrix and Component protocol primarily based IDs have been primarily discovered on medicine targeted boards like RuTOR, RCclub, and BigBro. TOX and Jabber IDs have been predominantly shared on XSS, CrdPro, BreachForums, and Exploit boards. “Elevated cooperation between Telegram and legislation enforcement has prompted discussions about various platforms, with Sign displaying essentially the most vital development,” the corporate said. “Different messaging apps like Discord, TOX, Matrix, and Session play area of interest roles, typically tied to particular cybercriminal actions or communities. Many menace actors use a number of messaging apps to make sure accessibility and redundancy of their communications.”
• OpenSSF Releases Greatest Practices for Open-Supply Tasks — The Open Supply Safety Basis (OpenSSF) launched the Open Supply Venture Safety Baseline (OSPS Baseline), a three-tiered set of necessities that goals to enhance the safety posture of open supply software program initiatives. “The OSPS Baseline affords a tiered framework of safety practices that evolve with undertaking maturity. It compiles current steerage from OpenSSF and different skilled teams, outlining duties, processes, artifacts, and configurations that improve software program improvement and consumption safety,” the OpenSSF said. “By adhering to the Baseline, builders can lay a basis that helps compliance with world cybersecurity laws, such because the E.U. Cyber Resilience Act (CRA) and U.S. Nationwide Institute of Requirements and Expertise (NIST) Safe Software program Improvement Framework (SSDF).” The event comes as Google issued calls for standardizing memory safety by “establishing a standard framework for specifying and objectively assessing reminiscence security assurances.”
• MITRE Releases OCCULT Framework — The MITRE Company has detailed a light-weight operational analysis framework known as OCCULT that enables cyber safety specialists to quantify the attainable dangers related to a big language mannequin (LLM) utilized in offensive cyber operations. “The OCCULT goal is finally about understanding the cyber operation capability of an AI system, and quantifying efficiency in these dimensions of cyber reasoning can present perception into that,” MITRE mentioned.
• Michigan Man Indicted on Wire Fraud and Aggravated Id Theft Costs — Andrew Shenkosky, a 29-year-old man from the U.S. state of Michigan, has been indicted on wire fraud and aggravated identification theft expenses after buying 2,468 stolen login credentials from the darkish net market Genesis Market and utilizing them to make fraudulent monetary transactions. Shenkosky can be alleged to have provided a number of the stolen account knowledge on the market on different prison boards, together with the now-defunct Raid Boards. The scheme was devised and executed from roughly February 2020 to November 2020, the U.S. Justice Division said.
• 16 Malicious Google Chrome Extensions Flagged — Cybersecurity researchers have uncovered a cluster of no less than 16 malicious Chrome extensions that have been used to inject code into browsers to facilitate promoting and SEO (website positioning) fraud. The browser add-ons, now faraway from the Chrome Internet Retailer, collectively impacted 3.2 million customers and masqueraded as display seize instruments, advert blockers, and emoji keyboards. In keeping with GitLab, it is suspected that the menace actors acquired entry to no less than a number of the extensions from their authentic builders to subsequently push out the trojanized variations. The exercise has been ongoing since no less than July 2024.
• Gmail to Ditch SMS for Two-Issue Authentication — Google is planning to finish help for SMS-based two-factor authentication in Gmail in order to “cut back the impression of rampant, world SMS abuse.” In lieu of the SMS-based system, the corporate is anticipated to show a QR code that customers must scan in order to login to their accounts, Forbes reported.
• Particulars Emerge About NSA’s Alleged Hack of China’s Northwestern Polytechnical College — In 2022, China accused the U.S. Nationwide Safety Company (NSA) of conducting a string of cyber assaults aimed on the Northwestern Polytechnical College. It mentioned the assault concentrating on the analysis college employed no fewer than 40 completely different cyber weapons which can be designed to siphon passwords, community tools configuration, community administration knowledge, and operation and upkeep knowledge. China has given the NSA the menace actor designation APT-C-40. In keeping with a brand new evaluation revealed by safety researcher Lina Lau (aka “inversecos”), the attribution to the company boils all the way down to a mixture of assault instances (or lack thereof throughout Memorial Day and Independence Day holidays), hands-on keyboard exercise utilizing American English, human error, and the presence of instruments beforehand found in the course of the Shadow Brokers leak. The assault concerned using a zero-day vulnerability assault platform known as Fox Acid to automate the supply of browser-based exploits when visiting respectable web sites. Among the different instruments deployed included ISLAND for exploiting Solaris programs; SECONDDATE, a framework put in on edge units to conduct community eavesdropping, MitM assaults, and code injection; NOPEN and FLAME SPRAY for distant entry to compromised programs; CUNNING HERETICS, a light-weight implant for covert entry to NSA communication channels; STOIC SURGEON, a backdoor concentrating on Linux, Solaris, JunOS, and FreeBSD programs; DRINKING TEA for credential harvesting; TOAST BREAD, a log manipulation software that erased proof of unauthorized entry; and Shaver, a program to assault uncovered SunOS servers to be used as bounce servers. It is mentioned that NSA operatives stole categorised analysis knowledge, community infrastructure particulars, and delicate operational paperwork from the college.
• Apple Discover My Exploit Can Flip a Bluetooth Machine into an AirTag — A gaggle of lecturers from George Mason College has detailed a brand new vulnerability in Apple’s Find My network known as nRootTag that turns units into trackable “AirTags” with out requiring root privileges. “The assault achieves a hit price of over 90% inside minutes at a price of just a few U.S. {dollars}. Or, a rainbow table might be constructed to go looking keys immediately,” the researchers said. “Subsequently, it might probably find a pc in minutes, posing a considerable danger to consumer privateness and security. The assault is efficient on Linux, Home windows, and Android programs, and might be employed to trace desktops, laptops, smartphones, and IoT units.” Apple has launched patches in iOS 18.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2, and visionOS 2.2 to repair the vulnerability. That mentioned, the assault stays efficient so long as unpatched iPhones or Apple Watches are within the proximity of a goal machine working a malicious trojan, which is able to promoting Bluetooth Low Power (BLE) broadcasts which can be used to glean a tool’s location by querying Apple’s servers. In different phrases, just by putting in malware that may ship BLE commercials, the method could make the machine it is working on trackable through Apple’s Discover My community.
• Swedish Authorities Search Backdoor Entry to Encrypted Messaging Apps — Sweden’s legislation enforcement and safety businesses are pushing for a laws that forces encrypted messaging companies like Sign and WhatsApp to create technical backdoors permitting them to entry communications. Sign Basis President Meredith Whittaker mentioned the corporate would somewhat exit the market than complying with such a legislation, Swedish information outlet SVT Nyheter reported final week. The event follows Apple’s disabling of iCloud’s Superior Information Safety (ADP) function for customers within the U.Ok. final week in response to reviews that the House Workplace had requested for the flexibility to entry encrypted contents within the cloud. Tulsi Gabbard, the director of U.S. Nationwide Intelligence, said she was not knowledgeable upfront in regards to the U.Ok. authorities’s demand to have the ability to entry Apple clients’ encrypted knowledge. U.S. officers are mentioned to be whether or not the U.Ok. violated a bilateral settlement by demanding Apple create a “backdoor” to entry end-to-end encrypted iCloud knowledge, according to Reuters. It additionally comes as issues are being raised over a proposed modification to the Narcotrafic legislation in France that seeks to backdoor encrypted messaging programs and hand over chat messages of suspected criminals inside 72 hours of a legislation enforcement request. “A backdoor for the great guys solely is a harmful phantasm,” Matthias Pfau, CEO of Tuta Mail, mentioned in a press release shared with The Hacker Information. “Weakening encryption for legislation enforcement inevitably creates vulnerabilities that may – and can – be exploited by cybercriminals and hostile international actors. This legislation wouldn’t simply goal criminals, it could destroy safety for everybody.”
• Cybercriminal Behind Extra Than 90 Information Leaks Arrested — A joint operation of the Royal Thai Police and the Singapore Police Power has led to the arrest of a person liable for greater than 90 situations of knowledge leaks worldwide, together with 65 within the Asia-Pacific (APAC) area alone. The leaks resulted within the sale of over 13TB of non-public knowledge on the darkish net, per Singaporean firm Group-IB. The person operated beneath numerous aliases ALTDOS, DESORDEN, GHOSTR, and 0mid16B. The identification of the suspect has not been disclosed, however Thai media reported that he goes by the title Chingwei. “The principle aim of his assaults was to exfiltrate the compromised databases containing private knowledge and to demand cost for not disclosing it to the general public,” Group-IB said. “If the sufferer refused to pay, he didn’t announce the leaks on darkish net boards. As an alternative he notified the media or private knowledge safety regulators, with the intention of inflicting higher reputational and monetary harm on his victims.” In choose situations, the menace actor additionally encrypted the sufferer’s databases as a way of exerting extra stress. The assaults leveraged SQL injection instruments like sqlmap and exploited weak Distant Desktop Protocol (RDP) servers to realize unauthorized entry, adopted by deploying a cracked model of an adversary simulation software named Cobalt Strike for controlling compromised servers and exfiltrating knowledge. Targets of the person’s assaults spanned industries reminiscent of healthcare, retail, property funding, finance, e-commerce, logistics, expertise, hospitality, insurance coverage, and recruitment.

Knowledgeable Webinar

• Webinar 1: Discover How ASPM Bridges Critical Gaps in AppSec Before It’s Too Late — Be a part of our free webinar to find out how ASPM is altering app safety. Amir Kaushansky from Palo Alto Networks will present you the way ASPM unites your safety instruments and makes managing dangers simpler. Hear actual success tales from lots of of customers and get clear, sensible recommendation to guard your apps.
• Webinar 2: Transform Your Code Security with One Smart Engine — Be a part of this subsequent webinar to discover ways to cease identity-based assaults like phishing and MFA bypass. Uncover a safe entry answer trusted by over 500 customers. With restricted spots, do not miss your likelihood to guard your identification. Join now!

P.S. Know somebody who might use these? Share it.

Cybersecurity Instruments

• MEDUSA — It’s a highly effective, FRIDA-powered software designed for dynamic evaluation of Android and iOS apps. It automates duties reminiscent of bypassing SSL pinning, tracing perform calls, and modifying app habits in actual time—all in a easy and environment friendly means. This makes it the right answer for uncovering vulnerabilities and strengthening cell safety.
• Galah — It’s an AI-driven net honeypot designed to lure and research cyber attackers. It mimics completely different net purposes by producing sensible, practical responses to any HTTP request, making it tougher for hackers to inform what’s actual. Initially constructed as a enjoyable undertaking to discover the facility of huge language fashions, Galah affords a easy method to see how fashionable AI can be utilized in cybersecurity.

Tip of the Week

The Hidden Risks of Copy-Paste: The way to Safe Your Clipboard from Cyber Threats — Clipboard safety is commonly missed, but it is a prime goal for attackers. Malware can hijack your clipboard to steal delicate knowledge, swap cryptocurrency addresses, or execute malicious instructions with out your information. Instruments like Edit Clipboard Contents Instrument permit you to examine and modify clipboard knowledge at a uncooked stage, offering visibility into potential threats. Sysinternals Course of Monitor (ProcMon) can detect suspicious entry to the clipboard, serving to you catch rogue processes. Further instruments like InsideClipboard and Clipboardic log clipboard historical past and present all codecs, revealing hidden malicious content material that would in any other case go unnoticed.

To guard towards clipboard-based assaults, use clipboard-clearing practices after copying delicate knowledge, and keep away from pasting from untrusted sources. Builders ought to implement auto-clearing of clipboard knowledge and sanitize pasted enter to stop exploits. Cybersecurity professionals can monitor clipboard entry through Sysmon or DLP programs to alert on suspicious habits. By incorporating these instruments and habits, you may higher defend towards clipboard hijacking and guarantee delicate data stays safe.

Conclusion

As we shut this week’s replace, do not forget that staying knowledgeable is step one to defending your self on-line. Each incident—from focused exploits to AI misuse—exhibits that cyber threats are actual and consistently altering.

Thanks for studying. Keep alert, replace your programs, and use these insights to make smarter decisions in your digital life. Keep protected till subsequent week.