Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists

Mar 03, 2025Ravie Lakshmanan

This week, a 23-year-old Serbian activist discovered themselves on the crossroads of digital hazard when a sneaky zero-day exploit turned their Android gadget right into a goal. In the meantime, Microsoft pulled again the curtain on a scheme the place cybercriminals used AI instruments for dangerous pranks, and an enormous trove of reside secrets and techniques was found, reminding us that even the instruments we depend on can cover dangerous surprises.

We have sifted via a storm of cyber threats—from phishing scams to malware assaults—and damaged down what it means for you in clear, on a regular basis language. Get able to dive into the main points, perceive the dangers, and learn to defend your self in an more and more unpredictable on-line world.

⚡ Menace of the Week

Serbian Youth Activist Focused by Android 0-Day Exploit Chain — A 23-year-old Serbian youth activist had their Android cellphone targeted by a zero-day exploit chain developed by Cellebrite to unlock the gadget and sure deploy an Android spyware and adware referred to as NoviSpy. The failings mixed CVE-2024-53104 with CVE-2024-53197 and CVE-2024-50302 to escalate privileges and obtain code execution. The vulnerabilities, initially current inside the Linux kernel, have been addressed in December 2024. CVE-2024-53104 has since been addressed in Android as of early February 2025. In response to the event, Cellebrite stated it should not permit Serbia to make use of its software program, stating “we discovered it acceptable to cease the usage of our merchandise by the related prospects presently.”

🔔 High Information

• Microsoft Unmasks Individuals Behind LLMjacking Scheme — Microsoft revealed the identities of 4 people who it stated have been behind an Azure Abuse Enterprise scheme that includes leveraging unauthorized entry to generative synthetic intelligence (GenAI) providers as a way to produce offensive and dangerous content material. The marketing campaign, additionally known as LLMjacking, has focused numerous AI service suppliers, with the menace actors promoting the entry to different felony actors to facilitate the illicit era of non-consensual intimate photos of celebrities and different sexually express content material in violation of its insurance policies.
• Widespread Crawl Dataset Incorporates Almost 12,000 Reside Secrets and techniques — An evaluation of a December 2024 archive from Widespread Crawl has uncovered almost 12,000 reside secrets and techniques, as soon as once more highlighting how hard-coded credentials pose a extreme safety danger to customers and organizations alike. Moreover, in addition they have the unintended aspect impact of exacerbating an issue the place massive language fashions (LLMs) find yourself suggesting insecure coding practices to their customers as a result of presence of hard-coded credentials in coaching knowledge.
• Silver Fox APT Makes use of Winos 4.0 to Goal Taiwanese Orgs — Taiwanese corporations have been targeted by way of phishing emails that masquerade because the nation’s Nationwide Taxation Bureau with an purpose to ship the Winos 4.0 (aka ValleyRAT) malware. Winos, derived from Gh0st RAT, is a modular malware framework that acts each as a distant entry trojan and a command-and-control (C2) framework. The malware has additionally been propagated by way of trojanized installers for Philips DICOM viewers. A majority of those artifacts have been detected in the US and Canada, indicating a potential enlargement of the Silver Fox APT’s concentrating on to new areas and sectors.
• Australia Bans Kaspersky Merchandise from Authorities Networks — Australia has change into the newest nation to ban the installation of security software from Russian firm Kaspersky, citing “unacceptable safety danger to Australian Authorities, networks and knowledge.” Underneath the brand new directive, authorities entities are prohibited from putting in Kaspersky’s merchandise and internet providers on authorities methods and gadgets efficient April 1, 2025. They’ve additionally been advisable to take away all present situations by the cutoff date.
• Bybit Hack Formally Attributed to Lazarus Group — The North Korea-linked Lazarus Group has been implicated within the record-breaking hack of crypto change Bybit that led to the theft of $1.5 billion in digital belongings. The assault has been attributed to a menace cluster dubbed TraderTraitor, which was beforehand behind the theft of cryptocurrency value $308 million from cryptocurrency firm DMM Bitcoin in Might 2024. Additional investigation has discovered that the hack was carried out by compromising one of many developer’s machines related to multisig pockets platform Secure{Pockets} which affected an account operated by Bybit. “The Bybit assault mirrors North Korea’s established techniques of concentrating on centralized crypto exchanges via strategies equivalent to phishing, provide chain compromises, and personal key theft-strategies,” TRM Labs said. An infrastructure evaluation has additionally discovered that the menace actors registered a faux area named bybit-assessment[.]com just a few hours earlier than the theft passed off. Silent Push, which found the area, informed The Hacker Information it discovered no data to tie the bogus area to the precise hack itself. It is believed that the area might have been arrange as a part of one other associated marketing campaign codenamed Contagious Interview. The corporate additionally famous that the menace actors behind the Contagious Interview marketing campaign are actively concentrating on numerous cryptocurrency corporations equivalent to Stripe, Coinbase, Binance, Block, Ripple, Robinhood, Tether, Circle, Kraken, Gemini, Polygon, Chainalysis, KuCoin, eToro, Bitstamp, Bitfinex, Gate.io, Pantera Capital, Galaxy, Bitwise Asset Administration, Bitwise Investments, BingX, Gauntlet, XY Labs, YouHodler, MatChain, Bemo, Barrowwise, Bondex, Halliday, Holidu, Hyphen Join, and Windranger. “Anybody making use of for a job at one among these corporations must be looking out for suspicious job gives or suspicious interview techniques,” the corporate added.

‎️‍🔥 Trending CVEs

Your go-to software program could possibly be hiding harmful safety flaws—do not wait till it is too late! Replace now and keep forward of the threats earlier than they catch you off guard.

This week’s checklist contains — CVE-2025-27364 (MITRE Caldera), CVE-2025-24752 (Important Addons for Elementor plugin), CVE-2025-27090 (Sliver), CVE-2024-34331 and its bypass (Parallels Desktop), CVE-2025-0690 (GRUB2), CVE-2024-12084, CVE-2024-12085,CVE-2024-12086, CVE-2024-12087, CVE-2024-12088 (RSync), CVE-2025-0475, CVE-2025-0555 (GitLab), CVE-2025-20111 (Cisco Nexus 3000 and 9000 Sequence Switches), CVE-2025-23363 (Siemens Teamcenter), CVE-2025-0514 (CVE-2025-0514), CVE-2025-1564 (SetSail Membership plugin), CVE-2025-1671 (Academist Membership plugin), CVE-2025-1638 (Alloggio Membership plugin), CVE-2024-12824 (Nokri – Job Board WordPress Theme theme), CVE-2024-9193 (WHMpress – WHMCS WordPress Integration Plugin plugin), CVE-2024-8420 (DHVC Kind plugin), CVE-2024-8425 (WooCommerce Final Present Card plugin), CVE-2025-25570 (Vue Vben Admin), CVE-2025-26943 (Jürgen Müller Straightforward Quotes plugin), and CVE-2025-1128 (Everest Varieties – Contact Varieties, Quiz, Survey, Publication & Cost Kind Builder for WordPress plugin).

📰 Across the Cyber World

• Qualcomm and Google Announce Safety Partnership — Chipmaker Qualcomm announced a partnership with Google with an purpose to allow gadget producers to supply as much as eight years of software program and safety updates. “Beginning with Android smartphones working on the Snapdragon 8 Elite Cellular Platform, Qualcomm Applied sciences now gives gadget producers the flexibility to supply assist for as much as eight consecutive years of Android software program and safety updates,” the corporate stated. “Smartphones launching on new Snapdragon 8 and 7-series cell platforms will even be eligible to obtain this prolonged assist.” The eight-year pledge, nonetheless, solely applies to gadgets utilizing Arm-compatible Snapdragon 8 Elite chips and working Android 15, in addition to future iterations of the Snapdragon 8 and 7-series.
• Microsoft Removes 2 Malicious VSCode Extensions — Microsoft has taken down two widespread VSCode extensions, ‘Materials Theme – Free’ and ‘Materials Theme Icons – Free,’ from the Visible Studio Market for allegedly containing malicious code. The 2 extensions have been downloaded almost 9 million instances cumulatively. It is believed that the malicious code was launched in an replace to the extensions, indicating both a provide chain assault or a compromise of the developer’s account. Microsoft stated it additionally banned the developer, who claimed the problems are brought on by outdated Sanity.io dependency that “seems compromised.” One other developer commented: “After being focused for a elimination, the cheap, good religion motion that the developer ought to have taken can be to achieve out to the VS Code staff, placing himself at their disposal to deal with any points they’ve recognized. As an alternative, he created a number of totally different accounts as a way to submit the identical extensions in an try to avoid the restrictions, and implicated the VS Code devs in a conspiracy to personally censor him.”
• Over 49,000 Misconfigured Entry Administration Techniques Flagged — New analysis has uncovered greater than 49,000 misconfigured entry administration methods (AMS) internationally, particularly in development, healthcare, training, manufacturing, oil, and authorities sectors. These misconfigurations expose private knowledge, worker images, biometric knowledge, work schedules, payslips, and different delicate data. They is also abused to entry buildings and compromise bodily safety. Italy, Mexico, and Vietnam have emerged as the highest international locations with essentially the most exposures. “These misconfigurations uncovered extremely delicate private data, together with worker images, full names, identification numbers, entry card particulars, biometric knowledge, registration code numbers, and in some instances, even full work schedules and facility entry histories,” Modat said. “Significantly regarding was the invention of uncovered biometric templates and facial recognition knowledge in a number of fashionable entry management methods, which may pose critical privateness dangers if accessed by malicious actors.”
• Telegram Stays the High Platform for Cybercriminals — Regardless of new commitments from Telegram, the messaging app continues to stay a hub for cybercriminal exercise. A number of the different platforms which are gaining traction, in keeping with Flare.io, embrace Discord, Sign, TOX, Session, and Factor/Matrix. Whereas Discord invite hyperlinks have been primarily discovered on boards like Nulled, Cracked, VeryLeaks, and DemonForums, Matrix and Factor protocol based mostly IDs have been primarily discovered on medication targeted boards like RuTOR, RCclub, and BigBro. TOX and Jabber IDs have been predominantly shared on XSS, CrdPro, BreachForums, and Exploit boards. “Elevated cooperation between Telegram and regulation enforcement has prompted discussions about different platforms, with Sign displaying essentially the most vital development,” the corporate said. “Different messaging apps like Discord, TOX, Matrix, and Session play area of interest roles, usually tied to particular cybercriminal actions or communities. Many menace actors use a number of messaging apps to make sure accessibility and redundancy of their communications.”
• OpenSSF Releases Greatest Practices for Open-Supply Tasks — The Open Supply Safety Basis (OpenSSF) launched the Open Supply Undertaking Safety Baseline (OSPS Baseline), a three-tiered set of necessities that goals to enhance the safety posture of open supply software program initiatives. “The OSPS Baseline gives a tiered framework of safety practices that evolve with mission maturity. It compiles present steering from OpenSSF and different professional teams, outlining duties, processes, artifacts, and configurations that improve software program growth and consumption safety,” the OpenSSF said. “By adhering to the Baseline, builders can lay a basis that helps compliance with international cybersecurity rules, such because the E.U. Cyber Resilience Act (CRA) and U.S. Nationwide Institute of Requirements and Know-how (NIST) Safe Software program Improvement Framework (SSDF).” The event comes as Google issued calls for standardizing memory safety by “establishing a typical framework for specifying and objectively assessing reminiscence security assurances.”
• MITRE Releases OCCULT Framework — The MITRE Company has detailed a light-weight operational analysis framework referred to as OCCULT that enables cyber safety specialists to quantify the potential dangers related to a big language mannequin (LLM) utilized in offensive cyber operations. “The OCCULT goal is in the end about understanding the cyber operation capability of an AI system, and quantifying efficiency in these dimensions of cyber reasoning can present perception into that,” MITRE stated.
• Michigan Man Indicted on Wire Fraud and Aggravated Identification Theft Costs — Andrew Shenkosky, a 29-year-old man from the U.S. state of Michigan, has been indicted on wire fraud and aggravated id theft costs after buying 2,468 stolen login credentials from the darkish internet market Genesis Market and utilizing them to make fraudulent monetary transactions. Shenkosky can be alleged to have supplied among the stolen account knowledge on the market on different felony boards, together with the now-defunct Raid Boards. The scheme was devised and executed from roughly February 2020 to November 2020, the U.S. Justice Division said.
• 16 Malicious Google Chrome Extensions Flagged — Cybersecurity researchers have uncovered a cluster of a minimum of 16 malicious Chrome extensions that have been used to inject code into browsers to facilitate promoting and search engine marketing (web optimization) fraud. The browser add-ons, now faraway from the Chrome Net Retailer, collectively impacted 3.2 million customers and masqueraded as display screen seize instruments, advert blockers, and emoji keyboards. In line with GitLab, it is suspected that the menace actors acquired entry to a minimum of among the extensions from their unique builders to subsequently push out the trojanized variations. The exercise has been ongoing since a minimum of July 2024.
• Gmail to Ditch SMS for Two-Issue Authentication — Google is planning to finish assist for SMS-based two-factor authentication in Gmail in order to “cut back the influence of rampant, international SMS abuse.” In lieu of the SMS-based system, the corporate is predicted to show a QR code that customers have to scan in order to login to their accounts, Forbes reported.
• Particulars Emerge About NSA’s Alleged Hack of China’s Northwestern Polytechnical College — In 2022, China accused the U.S. Nationwide Safety Company (NSA) of conducting a string of cyber assaults aimed on the Northwestern Polytechnical College. It stated the assault concentrating on the analysis college employed no fewer than 40 totally different cyber weapons which are designed to siphon passwords, community gear configuration, community administration knowledge, and operation and upkeep knowledge. China has given the NSA the menace actor designation APT-C-40. In line with a brand new evaluation printed by safety researcher Lina Lau (aka “inversecos”), the attribution to the company boils all the way down to a mixture of assault instances (or lack thereof throughout Memorial Day and Independence Day holidays), hands-on keyboard exercise utilizing American English, human error, and the presence of instruments beforehand found throughout the Shadow Brokers leak. The assault concerned the usage of a zero-day vulnerability assault platform referred to as Fox Acid to automate the supply of browser-based exploits when visiting legit web sites. A number of the different instruments deployed included ISLAND for exploiting Solaris methods; SECONDDATE, a framework put in on edge gadgets to conduct community eavesdropping, MitM assaults, and code injection; NOPEN and FLAME SPRAY for distant entry to compromised methods; CUNNING HERETICS, a light-weight implant for covert entry to NSA communication channels; STOIC SURGEON, a backdoor concentrating on Linux, Solaris, JunOS, and FreeBSD methods; DRINKING TEA for credential harvesting; TOAST BREAD, a log manipulation instrument that erased proof of unauthorized entry; and Shaver, a program to assault uncovered SunOS servers to be used as leap servers. It is stated that NSA operatives stole labeled analysis knowledge, community infrastructure particulars, and delicate operational paperwork from the college.
• Apple Discover My Exploit Can Flip a Bluetooth Gadget into an AirTag — A bunch of teachers from George Mason College has detailed a brand new vulnerability in Apple’s Find My network referred to as nRootTag that turns gadgets into trackable “AirTags” with out requiring root privileges. “The assault achieves successful fee of over 90% inside minutes at a price of only some U.S. {dollars}. Or, a rainbow table might be constructed to go looking keys immediately,” the researchers said. “Subsequently, it could find a pc in minutes, posing a considerable danger to person privateness and security. The assault is efficient on Linux, Home windows, and Android methods, and might be employed to trace desktops, laptops, smartphones, and IoT gadgets.” Apple has launched patches in iOS 18.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2, and visionOS 2.2 to repair the vulnerability. That stated, the assault stays efficient so long as unpatched iPhones or Apple Watches are within the proximity of a goal gadget working a malicious trojan, which is able to promoting Bluetooth Low Vitality (BLE) broadcasts which are used to glean a tool’s location by querying Apple’s servers. In different phrases, just by putting in malware that may ship BLE ads, the approach could make the gadget it is working on trackable by way of Apple’s Discover My community.
• Swedish Authorities Search Backdoor Entry to Encrypted Messaging Apps — Sweden’s regulation enforcement and safety businesses are pushing for a laws that forces encrypted messaging providers like Sign and WhatsApp to create technical backdoors permitting them to entry communications. Sign Basis President Meredith Whittaker stated the corporate would fairly exit the market than complying with such a regulation, Swedish information outlet SVT Nyheter reported final week. The event follows Apple’s disabling of iCloud’s Superior Knowledge Safety (ADP) function for customers within the U.Okay. final week in response to reviews that the Residence Workplace had requested for the flexibility to entry encrypted contents within the cloud. Tulsi Gabbard, the director of U.S. Nationwide Intelligence, said she was not knowledgeable prematurely concerning the U.Okay. authorities’s demand to have the ability to entry Apple prospects’ encrypted knowledge. U.S. officers are stated to be taking a look at whether or not the U.Okay. violated a bilateral settlement by demanding Apple create a “backdoor” to entry end-to-end encrypted iCloud knowledge, according to Reuters. It additionally comes as issues are being raised over a proposed modification to the Narcotrafic regulation in France that seeks to backdoor encrypted messaging methods and hand over chat messages of suspected criminals inside 72 hours of a regulation enforcement request. “A backdoor for the great guys solely is a harmful phantasm,” Matthias Pfau, CEO of Tuta Mail, stated in an announcement shared with The Hacker Information. “Weakening encryption for regulation enforcement inevitably creates vulnerabilities that may – and can – be exploited by cybercriminals and hostile international actors. This regulation wouldn’t simply goal criminals, it might destroy safety for everybody.”
• Cybercriminal Behind Extra Than 90 Knowledge Leaks Arrested — A joint operation of the Royal Thai Police and the Singapore Police Pressure has led to the arrest of a person answerable for greater than 90 situations of information leaks worldwide, together with 65 within the Asia-Pacific (APAC) area alone. The leaks resulted within the sale of over 13TB of private knowledge on the darkish internet, per Singaporean firm Group-IB. The person operated underneath numerous aliases ALTDOS, DESORDEN, GHOSTR, and 0mid16B. The id of the suspect has not been disclosed, however Thai media reported that he goes by the title Chingwei. “The primary aim of his assaults was to exfiltrate the compromised databases containing private knowledge and to demand fee for not disclosing it to the general public,” Group-IB said. “If the sufferer refused to pay, he didn’t announce the leaks on darkish internet boards. As an alternative he notified the media or private knowledge safety regulators, with the purpose of inflicting better reputational and monetary harm on his victims.” In choose situations, the menace actor additionally encrypted the sufferer’s databases as a way of exerting extra stress. The assaults leveraged SQL injection instruments like sqlmap and exploited weak Distant Desktop Protocol (RDP) servers to achieve unauthorized entry, adopted by deploying a cracked model of an adversary simulation instrument named Cobalt Strike for controlling compromised servers and exfiltrating knowledge. Targets of the person’s assaults spanned industries equivalent to healthcare, retail, property funding, finance, e-commerce, logistics, know-how, hospitality, insurance coverage, and recruitment.

🎥 Knowledgeable Webinar

• Webinar 1: Discover How ASPM Bridges Critical Gaps in AppSec Before It’s Too Late — Be part of our free webinar to find out how ASPM is altering app safety. Amir Kaushansky from Palo Alto Networks will present you the way ASPM unites your safety instruments and makes managing dangers simpler. Hear actual success tales from tons of of customers and get clear, sensible recommendation to guard your apps.
• Webinar 2: Transform Your Code Security with One Smart Engine — Be part of this subsequent webinar to learn to cease identity-based assaults like phishing and MFA bypass. Uncover a safe entry resolution trusted by over 500 customers. With restricted spots, do not miss your probability to guard your id. Enroll now!

P.S. Know somebody who may use these? Share it.

🔧 Cybersecurity Instruments

• MEDUSA — It’s a highly effective, FRIDA-powered instrument designed for dynamic evaluation of Android and iOS apps. It automates duties equivalent to bypassing SSL pinning, tracing perform calls, and modifying app conduct in actual time—all in a easy and environment friendly method. This makes it the right resolution for uncovering vulnerabilities and strengthening cell safety.
• Galah — It’s an AI-driven internet honeypot designed to lure and research cyber attackers. It mimics totally different internet functions by producing sensible, life like responses to any HTTP request, making it more durable for hackers to inform what’s actual. Initially constructed as a enjoyable mission to discover the facility of enormous language fashions, Galah gives a easy strategy to see how fashionable AI can be utilized in cybersecurity.

🔒 Tip of the Week

The Hidden Risks of Copy-Paste: Learn how to Safe Your Clipboard from Cyber Threats — Clipboard safety is commonly missed, but it is a prime goal for attackers. Malware can hijack your clipboard to steal delicate knowledge, swap cryptocurrency addresses, or execute malicious instructions with out your information. Instruments like Edit Clipboard Contents Instrument assist you to examine and modify clipboard knowledge at a uncooked stage, offering visibility into potential threats. Sysinternals Course of Monitor (ProcMon) can detect suspicious entry to the clipboard, serving to you catch rogue processes. Further instruments like InsideClipboard and Clipboardic log clipboard historical past and present all codecs, revealing hidden malicious content material that might in any other case go unnoticed.

To guard towards clipboard-based assaults, use clipboard-clearing practices after copying delicate knowledge, and keep away from pasting from untrusted sources. Builders ought to implement auto-clearing of clipboard knowledge and sanitize pasted enter to forestall exploits. Cybersecurity professionals can monitor clipboard entry by way of Sysmon or DLP methods to alert on suspicious conduct. By incorporating these instruments and habits, you’ll be able to higher defend towards clipboard hijacking and guarantee delicate data stays safe.

Conclusion

As we shut this week’s replace, keep in mind that staying knowledgeable is step one to defending your self on-line. Each incident—from focused exploits to AI misuse—exhibits that cyber threats are actual and consistently altering.

Thanks for studying. Keep alert, replace your methods, and use these insights to make smarter decisions in your digital life. Keep secure till subsequent week.