Google Secrets Stolen, Windows Hack, New Crypto Scams and More

Feb 17, 2025Ravie LakshmananCyber Threats / Cybersecurity

Welcome to this week’s Cybersecurity Information Recap. Uncover how cyber attackers are utilizing intelligent tips like faux codes and sneaky emails to achieve entry to delicate knowledge. We cowl every thing from system code phishing to cloud exploits, breaking down the technical particulars into easy, easy-to-follow insights.

Risk of the Week

Russian Risk Actors Leverage Gadget Code Phishing to Hack Microsoft Accounts — Microsoft and Volexity have revealed that menace actors with ties to Russia are leveraging a method generally known as system code phishing to achieve unauthorized entry to sufferer accounts, and use that entry to pay money for delicate knowledge and allow persistent entry to the sufferer setting. At the very least three completely different Russia-linked clusters have been recognized abusing the approach thus far. The assaults entail sending phishing emails that masquerade as Microsoft Groups assembly invites, which, when clicked, urge the message recipients to authenticate utilizing a menace actor-generated system code, thereby permitting the adversary to hijack the authenticated session utilizing the legitimate entry token.

Prime Information

• whoAMI Assault Exploits AWS AMI Title Confusion for Distant Code Execution — A brand new kind of title confusion assault referred to as whoAMI permits anybody who publishes an Amazon Machine Picture (AMI) with a selected title to achieve code execution inside the Amazon Internet Companies (AWS) account. Datadog, which detailed the assault, stated roughly 1% of organizations monitored by the corporate had been affected by the whoAMI, and that it discovered public examples of code written in Python, Go, Java, Terraform, Pulumi, and Bash shell utilizing the weak standards. AWS advised The Hacker Information that there isn’t a proof of malicious exploitation of the safety weak spot.
• RansomHub Targets Over 600 Orgs Globally — The RansomHub ransomware operation has targeted over 600 organizations across the world, spanning sectors comparable to healthcare, finance, authorities, and demanding infrastructure, making it probably the most lively cybercrime teams in 2024. One such assault has been discovered to weaponize now-patched safety flaws in Microsoft Lively Listing and the Netlogon protocol to escalate privileges and achieve unauthorized entry to a sufferer community’s area controller as a part of their post-compromise technique.
• REF7707 Makes use of Outlook Drafts for Command-and-Management — A beforehand undocumented menace exercise cluster dubbed REF7707 has been noticed utilizing a distant administration instrument named FINALDRAFT that parses instructions saved within the mailbox’s drafts folder and writes the outcomes of the execution into new draft emails for every command. It makes use of the Outlook e mail service through the Microsoft Graph API for command-and-control (C2) functions. The group has been noticed concentrating on the overseas ministry of an unnamed South American nation, in addition to a telecommunications entity and a college, each positioned in Southeast Asia.
• Kimsuky Embraces ClickFix-Fashion Assault Technique — The North Korean menace actor generally known as Kimsuky (aka Black Banshee) is utilizing a brand new tactic that includes deceiving targets into operating PowerShell as an administrator after which instructing them to stick and run malicious code supplied by them. “To execute this tactic, the menace actor masquerades as a South Korean authorities official and over time builds rapport with a goal earlier than sending a spear-phishing e mail with an [sic] PDF attachment,” Microsoft stated. Customers are then satisfied to click on on a URL, urging them to register their system as a way to learn the PDF attachment. The top objective of the assault is to ascertain an information communication mechanism that enables the adversary to exfiltrate knowledge.
• Regulation Enforcement Op Takes Down 8Base — A consortium of legislation enforcement businesses has arrested 4 Russian nationals and seized over 100 servers linked to the 8Base ransomware gang. The arrests had been made in Thailand. Two of the suspects are accused of working a cybercrime group that used Phobos ransomware to victimize greater than 1,000 private and non-private entities within the nation and the world over. The event comes within the aftermath of a collection of high-profile ransomware disruptions related to Hive, LockBit, and BlackCat lately. Late final yr, Evgenii Ptitsyn, a 42-year-old Russian nationwide believed to be the administrator of the Phobos ransomware, was extradited to the U.S.

‎️‍ Trending CVEs

Your go-to software program could possibly be hiding harmful safety flaws—do not wait till it is too late! Replace now and keep forward of the threats earlier than they catch you off guard.

This week’s checklist consists of — CVE-2025-1094 (PostgreSQL), CVE-2025-0108 (Palo Alto Networks PAN-OS), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-21391 (Microsoft Home windows Storage), CVE-2025-21418 (Microsoft Home windows Ancillary Operate Driver for WinSock), CVE-2024-38657, CVE-2025-22467, CVE-2024-10644 (Ivanti Join Safe), CVE-2024-47908 (Ivanti Cloud Companies Software), CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, CVE-2024-56135 (Progress Kemp LoadMaster), CVE-2025-24200 (Apple iOS and iPadOS), CVE-2024-12797 (OpenSSL), CVE-2025-21298 (Microsoft Home windows OLE), CVE-2025-1240 (WinZip), CVE-2024-32838 (Apache Fineract), CVE-2024-52577 (Apache Ignite), CVE-2025-26793 (Hirsch Enterphone MESH), CVE-2024-12562 (s2Member Professional plugin), CVE-2024-13513 (Oliver POS – A WooCommerce Level of Sale (POS) plugin), CVE-2025-26506 (HP LaserJet), CVE-2025-22896, CVE-2025-25067, CVE-2025-24865 (mySCADA myPRO Supervisor), CVE-2024-13182 (WP Directorybox Supervisor plugin), CVE-2024-10763 (Campress theme), CVE-2024-7102 (GitLab CE/EE), CVE-2024-12213 (WP Job Board Professional plugin), CVE-2024-13365 (Safety & Malware scan by CleanTalk plugin), CVE-2024-13421 (Actual Property 7 theme), and CVE-2025-1126 (Lexmark Print Administration Shopper).

Across the Cyber World

• Former Google Engineer Charged with Plan to Steal Commerce Secrets and techniques — Linwei Ding, a former Google engineer who was arrested final March for transferring “delicate Google commerce secrets and techniques and different confidential data from Google’s community to his private account,” has now been charged with seven counts of financial espionage and 7 counts of theft of commerce secrets and techniques associated to the corporate’s AI expertise between 2022 and 2023. This included detailed details about the structure and performance of Google’s Tensor Processing Unit (TPU) chips and techniques and Graphics Processing Unit (GPU) techniques, the software program that enables the chips to speak and execute duties, and the software program that orchestrates 1000’s of chips right into a supercomputer able to coaching and executing cutting-edge AI workloads. The commerce secrets and techniques additionally relate to Google’s custom-designed SmartNIC, a sort of community interface card used to boost Google’s GPU, excessive efficiency, and cloud networking merchandise. “Ding supposed to learn the PRC authorities by stealing commerce secrets and techniques from Google,” the U.S. Division of Justice said. “Ding allegedly stole expertise regarding the {hardware} infrastructure and software program platform that enables Google’s supercomputing knowledge middle to coach and serve massive AI fashions.” The superseding indictment additionally said that Chinese language-sponsored expertise applications incentivize people engaged in analysis and growth exterior the nation to transmit such data in alternate for salaries, analysis funds, lab house, or different incentives. If convicted, Ding faces a most penalty of 10 years in jail and as much as a $250,000 advantageous for every trade-secret depend and 15 years in jail and a $5,000,000 advantageous for every financial espionage depend.
• Home windows UI Flaw Exploited by Mustang Panda — Israeli cybersecurity firm ClearSky has warned {that a} suspected Chinese language nation-state group generally known as Mustang Panda is actively exploiting a UI vulnerability in Microsoft Home windows. “When recordsdata are extracted from compressed ‘RAR’ recordsdata they’re hidden from the person,” the corporate said. “If the compressed recordsdata are extracted right into a folder, the folder seems empty within the Home windows Explorer GUI. When utilizing the ‘dir’ command to checklist all recordsdata and folders contained in the goal folder, the extracted recordsdata and folders are ‘invisible/hidden’ to the person. Risk actors or customers can even execute these compressed recordsdata from a command line immediate, in the event that they know the precise path. On account of executing ‘attrib -s -h’ to system protected recordsdata, an unknown file kind is created from the sort ‘Unknown’ ActiveX part.” It is at the moment not clear who’re the targets of the assault, and what the top objectives of the marketing campaign are.
• Meta Paid Over $2.3M in Bug Bounty Rewards in 2024 — Meta said it paid out greater than $2.3 million in rewards to just about 200 safety researchers as a part of its bug bounty program in 2024. In whole, the corporate has handed out greater than $20 million for the reason that creation of this system in 2011. The highest three nations primarily based on bounties awarded in 2024 are India, Nepal, and america.
• Essential ThinkPHP and OwnCloud Flaws Underneath Lively Exploitation — Risk actors are attempting to actively exploit two recognized safety vulnerabilities impacting ThinkPHP (CVE-2022-47945, CVSS rating: 9.8) and OwnCloud (CVE-2023-49103, CVSS rating: 10.0) over the previous few days, with assaults originating from a whole bunch of distinctive IP addresses, most of that are primarily based in Germany, China, the U.S., Singapore, Hong Kong, the Netherlands, the U.Ok., and Canada. Organizations are really helpful to use the mandatory patches (ThinkPHP to six.0.14+ and ownCloud GraphAPI to 0.3.1+) and prohibit entry to cut back the assault floor.
• FSB Mole Arrested in Ukraine — The Secret Service of Ukraine (SSU) said it had detained considered one of its personal high-level officers, accusing them of appearing as a mole for Russia. The person, one of many officers of the SSU Counterterrorism Heart, is alleged to have been recruited by Russia’s Federal Safety Service (FSB) in Vienna in 2018, and actively started participating in espionage on the finish of December final yr, transmitting paperwork containing state secrets and techniques, to the intelligence company through a “particular cell phone.” The SSU, upon studying of the person’s actions, stated it “used him in a counterintelligence ‘recreation’: via the traitor the SSU fed the enemy a considerable amount of disinformation.” The person’s title was not disclosed, however the Kyiv Impartial said it is Colonel Dmytro Kozyura, citing unnamed SSU sources.
• LLMjacking Hits DeepSeek — Malicious actors have been noticed capitalizing on the recognition of AI chatbot platform DeepSeek to conduct what’s referred to as LLMjacking assaults that contain promoting the entry obtained to legit cloud environments to different actors for a value. These assaults contain using stolen credentials to permit entry to machine studying companies through the OpenAI Reverse Proxy (ORP), which acts as a reverse proxy server for LLMs of varied suppliers. The ORP operators cover their IP addresses utilizing TryCloudflare tunnels. Finally, the illicit LLM entry is used to generate NSFW content material, and malicious scripts, and even circumvent bans on ChatGPT in nations like China and Russia, the place the service is blocked. “Cloud-based LLM utilization prices may be staggering, surpassing a number of a whole bunch of 1000’s of {dollars} month-to-month,” Sysdig said. “The excessive value of LLMs is the explanation cybercriminals select to steal credentials quite than pay for LLM companies. As a consequence of steep prices, a black marketplace for entry has developed round OAI Reverse Proxies — and underground service suppliers have risen to satisfy the wants of shoppers.”
• Romance Baiting Scams Leap 40% YoY — Pig butchering scams, additionally referred to as romance baiting, have accounted for 33.2% of the estimated $9.9 billion income earned by cybercriminals in 2024 from cryptocurrency scams, rising almost 40% year-over-year. Nevertheless, the typical deposit quantity to pig butchering scams declined 55% YoY, probably indicating a shift in how these scams are performed. “Pig butchering scammers have additionally advanced to diversify their enterprise mannequin past the ‘lengthy con’ of pig butchering scams — which might take months and even years of creating a relationship earlier than receiving sufferer funds — to faster turnaround employment or work-from-home scams that usually yield smaller sufferer deposits,” Chainalysis said. Additional evaluation of on-chain exercise has discovered that HuiOne Guarantee is closely used for illicit crypto-based actions supporting the pig butchering business in Southeast Asia. Scammers have additionally been noticed using generative AI expertise to facilitate crypto scams, typically to impersonate others or generate lifelike content material.
• Safety Points in RedNote Flagged — It is not simply DeepSeek. A brand new community safety evaluation undertaken by the Citizen Lab has uncovered a number of points in RedNote’s (aka Xiaohongshu) Android and iOS apps. This consists of fetching considered photographs and movies over HTTP, transmitting insufficiently encrypted system metadata, in addition to a vulnerability that allows community attackers to be taught the contents of any recordsdata that RedNote has permission to learn on the customers’ gadgets. Whereas the second vulnerability was launched by an upstream analytics SDK, MobTech, the third subject was launched by NEXTDATA. As of writing, all the failings stay unpatched. The vulnerabilities “might allow surveillance by any authorities or ISP, and never simply the Chinese language authorities,” the Citizen Lab said.
• CISA Urges Orgs to Tackle Buffer Overflows — The U.S. Cybersecurity and Infrastructure Safety Company (CISA) and Federal Bureau of Investigation (FBI) have launched a Safe by Design Alert, urging organizations to get rid of buffer overflow vulnerabilities in software program. “These vulnerabilities can result in knowledge corruption, delicate knowledge publicity, program crashes, and unauthorized code execution,” the businesses said, labeling them as unforgivable defects. “Risk actors regularly exploit these vulnerabilities to achieve preliminary entry to a company’s community after which transfer laterally to the broader community.” Saeed Abbasi, supervisor of vulnerability analysis at Qualys Risk Analysis Unit (TRU), emphasised the necessity to change from reminiscence unsafe languages. “Legacy excuses are out; the world has zero tolerance for memory-unsafe code in 2025,” Abbasi stated. “Sure, rewriting previous techniques is daunting, however letting attackers exploit decades-old buffer overflows is worse. Organizations nonetheless clinging to unsafe languages danger turning minor vulnerabilities into large breaches—and so they cannot declare shock. We have had confirmed fixes for ages: phased transitions to Rust or different memory-safe choices, compiler-level safeguards, thorough adversarial testing, and public commitments to a secure-by-design roadmap. The true problem is collective will: management should demand memory-safe transitions, and software program patrons should maintain distributors accountable.”
• International Adversaries Goal Native Communities within the U.S. for Affect Ops — A brand new report from the Alliance for Securing Democracy (ASD) has discovered that overseas nation-state actors from Russia, China, and Iran are operating affect operations that exploit belief in native sources and influence state and native communities within the U.S. with an purpose to control public opinion, stoke discord, and undermine democratic establishments. “In some circumstances, adversarial nations search favorable outcomes round native coverage points; in others, they use native debates as Trojan horses to advance their broader geopolitical agendas,” the analysis said. Russia emerged as essentially the most lively menace actor, with 26 documented circumstances designed to polarize Individuals via themes associated to immigration and election integrity. Beijing, alternatively, sought to domesticate assist for Chinese language state pursuits.
• Monetary Orgs Requested to Swap to Quantum-Secure Cryptography — Europol is urging monetary establishments and policymakers to transition to quantum-safe cryptography, citing an “imminent” menace to cryptographic safety because of the fast development of quantum computing. The first danger is that menace actors might steal encrypted knowledge right now with the intention of decrypting it sooner or later utilizing quantum computing, a method referred to as “harvest now, decrypt later” or retrospective decryption. “A sufficiently superior quantum laptop has the potential to interrupt extensively used public-key cryptographic algorithms, endangering the confidentiality of monetary transactions, authentication processes, and digital contracts,” the company said. “Whereas estimates recommend that quantum computer systems able to such threats might emerge inside the subsequent 10 to fifteen years, the time required to transition away from weak cryptographic strategies is important. A profitable transition to post-quantum cryptography requires collaboration amongst monetary establishments, expertise suppliers, policymakers, and regulators.” Final yr, the U.S. Nationwide Institute of Requirements and Expertise (NIST) formally announced the primary three “quantum-safe” algorithms.
• Google Addresses Excessive Impression Flaws — Google has addressed a pair of safety flaws that could possibly be chained by malicious actors to unmask the e-mail handle of any YouTube channel proprietor’s e mail handle. The primary of the 2 is a vulnerability recognized in a YouTube API that might leak a person’s GAIA ID, a singular identifier utilized by Google to handle accounts throughout its community of web sites. This ID might then be fed as enter to an outdated net API related to Pixel Recorder to transform it into an e mail when sharing a recording. Following accountable disclosure on September 24, 2024, the problems had been resolved as of February 9, 2025. There is no such thing as a proof that these shortcomings had been ever abused within the wild.
• New DoJ Actions Goal Crypto Fraud — Eric Council Jr., 25, of Alabama, has pleaded guilty to costs associated to the January 2024 hacking of the U.S. Securities and Alternate Fee’s (SEC) X account. The account was taken over to falsely announce that the SEC permitted BTC Alternate Traded Funds, inflicting a spike within the value of bitcoin. The assault was carried out via an unauthorized Subscriber Identification Module (SIM) swap carried out by the defendant, tricking a cell phone supplier retailer to reassign the sufferer’s telephone quantity to a SIM card of their possession utilizing a fraudulent id card printed utilizing an ID card printer. Council, who was arrested in December 2024, pleaded responsible to conspiracy to commit aggravated id theft and entry system fraud. If convicted, he faces a most penalty of 5 years in jail. In a associated growth, a 22-year-old man from Indiana, Evan Frederick Mild, was sentenced to twenty years in federal jail for operating a large cryptocurrency theft scheme from his mom’s basement. Mild broke into an funding holdings firm in South Dakota in February 2022, stealing clients’ private knowledge and cryptocurrency value over $37 million from almost 600 victims. The stolen cryptocurrency was then funneled to numerous places all through the world, together with a number of mixing companies and playing web sites to hide his id and to cover the digital foreign money. Individually, the Justice Division has additionally charged Canadian nationwide Andean Medjedovic, 22, for exploiting good contract vulnerabilities in two decentralized finance crypto platforms, KyberSwap and Listed Finance, to fraudulently receive about $65 million from the protocols’ traders between 2021 and 2023. A grasp’s diploma holder in arithmetic from the College of Waterloo, Medjedovic can also be alleged to have laundered the proceeds via mixers and bridge transactions in an try to hide the supply and possession of the funds. Medjedovic is charged with one depend of wire fraud, one depend of unauthorized injury to a protected laptop, one depend of tried Hobbs Act extortion, one depend of cash laundering conspiracy, and one depend of cash laundering. He faces over 30 years in jail.
• U.S. Lawmakers Warn Towards U.Ok. Order for Backdoor to Apple Knowledge— After studies emerged that safety officers within the U.Ok. have ordered Apple to create a backdoor to entry any Apple person’s iCloud content material, U.S. Senator Ron Wyden and Member of Congress Andy Biggs have sent a letter to Tulsi Gabbard, the Director of Nationwide Intelligence, urging the U.Ok. to retract its order, citing it threatens the “privateness and safety of each the American folks and the U.S. authorities. “If the U.Ok. doesn’t instantly reverse this harmful effort, we urge you to reevaluate U.S.-U.Ok. cybersecurity preparations and applications in addition to U.S. intelligence sharing with the U.Ok.,” they added. The purported Apple backdoor request would reportedly enable authorities to entry knowledge at the moment secured by Superior Knowledge Safety, doubtlessly affecting users worldwide. Wyden has additionally released a draft model of the World Belief in American On-line Companies Act that seeks to “safe Individuals’ communications in opposition to abusive overseas calls for to weaken the safety of communications companies and software program utilized by Individuals.” Whereas the security consultants have criticized the order, British officers have neither confirmed nor denied it.

Cybersecurity Webinars

• Webinar 1: From Code to Runtime: Transform Your App Security — Be a part of our webinar with Amir Kaushansky from Palo Alto Networks and see how ASPM can change your app safety. Learn to join code particulars with reside knowledge to repair gaps earlier than they change into dangers. Uncover good, proactive methods to guard your purposes in real-time.
• Webinar 2: From Debt to Defense: Fix Identity Gaps Fast — Be a part of our free webinar with consultants Karl Henrik Smith and Adam Boucher as they present you learn how to spot and shut id gaps with Okta’s Safe Identification Evaluation. Be taught easy steps to streamline your safety course of, concentrate on key fixes, and construct a stronger protection in opposition to threats.

P.S. Know somebody who might use these? Share it.

Cybersecurity Instruments

• WPProbe — It is a quick WordPress plugin scanner that makes use of REST API enumeration to stealthily detect put in plugins with out brute power, scanning by querying uncovered endpoints and matching them in opposition to a precompiled database of over 900 plugins. It even maps detected plugins to recognized vulnerabilities (CVE) and outputs leads to CSV or JSON format, making your scans each speedy and fewer more likely to set off safety defenses.
• BruteShark — It is a highly effective and user-friendly Community Forensic Evaluation Device constructed for safety researchers and community directors. It digs deep into PCAP recordsdata or reside community captures to extract passwords, rebuild TCP periods, map your community visually, and even convert password hashes for offline brute power testing with Hashcat. Out there as a Home windows GUI or a flexible CLI for Home windows and Linux.

Tip of the Week

Phase Your Wi-Fi Community for Higher Safety — In right now’s good residence, you probably have many linked gadgets—from laptops and smartphones to good TVs and varied IoT devices. When all these gadgets share the identical Wi‑Fi community, a breach in a single system might doubtlessly put your whole community in danger. Residence community segmentation helps defend you by dividing your community into separate components, much like how massive companies isolate delicate data.

To set this up, use your router’s visitor community or VLAN options to create completely different SSIDs, comparable to “Home_Private” for private gadgets and “Home_IoT” for good devices. Guarantee every community makes use of sturdy encryption (WPA3 or WPA2) with distinctive passwords, and configure your router so gadgets on one community can not talk with these on one other. Check your setup by connecting your gadgets accordingly and verifying that cross-network site visitors is blocked, then periodically verify your router’s dashboard to maintain the configuration working easily.

Conclusion

That wraps up this week’s cybersecurity information. We have lined a broad vary of tales—from the case of a former Google engineer charged with stealing key AI secrets and techniques to hackers making the most of a Home windows person interface flaw. We have additionally seen how cybercriminals are transferring into new areas like AI misuse and cryptocurrency scams, whereas legislation enforcement and business consultants work exhausting to catch up.

These headlines remind us that cyber threats are available many types, and every single day, new dangers emerge that may have an effect on everybody from massive organizations to particular person customers. Regulate these developments and take steps to guard your digital life. Thanks for becoming a member of us, and we sit up for holding you knowledgeable subsequent week.