February 24, 2025Ravie Lakshmanan

Welcome to your weekly dose of cyber news, where every headline offers a glimpse into the world of online battles. This week, we’re exploring a massive crypto theft, uncovering sneaky AI scam tactics, and examining significant changes in data protection.

Let these stories spark your interest and help you stay informed about the evolving threats in our digital landscape.

⚡ Threat of the Week

Lazarus Group Linked to Record-Breaking $1.5 Billion Crypto Heist — The North Korean Lazarus Group has been linked to a sophisticated attack that resulted in the theft of over $1.5 billion worth of cryptocurrency from one of Bybit’s cold wallets, making it the largest single crypto heist in history. Bybit detected unauthorized activity in one of its Ethereum (ETH) cold wallets during a planned routine transfer process on February 21, 2025, at around 12:30 p.m. UTC. This incident surpasses previous records, including the Ronin Network ($624 million), Poly Network ($611 million), and BNB Bridge ($586 million) hacks.

🔔 Top News

• OpenAI Bans ChatGPT Accounts for Malicious Activities — OpenAI has revealed that it banned several clusters of accounts that used its ChatGPT tool for various malicious purposes. These included a network likely originating from China that used AI models to develop a suspected surveillance tool designed to analyze posts and comments from platforms like X, Facebook, YouTube, Instagram, Telegram, and Reddit. Other instances of ChatGPT abuse involved creating social media content, generating comments for romance-baiting scams, and assisting with malware development.
• Apple Drops iCloud’s Advanced Data Protection in the U.K. — Apple has stopped offering its Advanced Data Protection (ADP) feature for iCloud in the United Kingdom, citing non-compliance with government demands for backdoor access to encrypted user data. “We are disappointed that the protections provided by ADP will not be available to our customers in the UK due to the rise of data breaches and threats to customer privacy,” the company stated. This decision comes after reports emerged that the U.K. government had ordered Apple to build a backdoor granting blanket access to any Apple user’s iCloud content.
• Salt Typhoon Leverages Years-Old Cisco Flaw for Initial Access — The China-linked hacking group Salt Typhoon leveraged a now-patched security flaw impacting Cisco devices (CVE-2018-0171) and obtained legitimate victim login credentials as part of a targeted campaign aimed at major U.S. telecommunications companies. The attacks involved extensive use of living-off-the-land (LOTL) techniques to evade detection and the deployment of a bespoke utility called JumbledPath, allowing them to execute a packet capture on a remote Cisco device through an actor-defined jump-host. Cisco described the threat actor as highly sophisticated and well-funded, consistent with state-sponsored hacking activity.
• Russian Hackers Exploit Signal’s Linking Feature — Multiple Russia-aligned threat actors have been observed targeting individuals of interest via malicious QR codes that exploit Signal’s “linked devices” feature to gain unauthorized access to their accounts and eavesdrop on messages. The attacks have been attributed to two clusters tracked as UNC5792 and UNC4221. Similar attacks have also been recorded against WhatsApp.
• Winnti Stages RevivalStone Campaign Targeting Japan — Winnti, a subgroup within the APT41 Chinese threat activity cluster, targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024, delivering a range of malware, including a rootkit capable of intercepting TCP/IP Network Interface, as well as creating covert channels with infected endpoints within the intranet. The activity has been codenamed RevivalStone.

‎️‍🔥 Trending CVEs

Your go-to software might be hiding dangerous security flaws—don’t wait until it’s too late! Update now and stay ahead of threats before they catch you off guard.

This week’s list includes — CVE-2025-24989 (Microsoft Power Pages), CVE-2025-23209 (Craft CMS), CVE-2024-12284 (Citrix NetScaler Console and NetScaler Agent), CVE-2025-26465, CVE-2025-26466 (OpenSSH), CVE-2025-21589 (Juniper Networks Session Smart Router), CVE-2024-12510, CVE-2024-12511 (Xerox VersaLink C7025 Multifunction printer), CVE-2025-0366 (Jupiter X Core plugin), CVE-2024-50379, CVE-2024-56337, CVE-2024-52316, CVE-2024-50379, CVE-2024-56337 (Atlassian), CVE-2024-53900, CVE-2025-23061 (Mongoose library), CVE-2025-26776 (NotFound Chaty Pro plugin), CVE-2025-26763 (MetaSlider Responsive Slider by MetaSlider plugin), CVE-2024-54756 (ZDoom Team GZDoom), CVE-2024-57401 (Uniclare Student Portal), CVE-2025-20059 (Ping Identity PingAM Java Policy Agent), CVE-2025-0868 (DocsGPT), CVE-2025-1023, CVE-2025-1132, CVE-2025-1133, CVE-2025-1134, CVE-2025-1135 (ChurchCRM), CVE-2024-57045 (D-Link DIR-859 router), CVE-2024-57050 (TP-Link WR840N v6 router), CVE-2024-57049 (TP-Link Archer c20 router), CVE 2025-26794 (Exim), CVE-2024-50608, CVE-2024-50609 (Fluent Bit), CVE-2024-54961 (Nagios XI), CVE-2025-23115, and CVE-2025-23116 (Ubiquiti UniFi Protect Camera).

📰 Around the Cyber World

• U.S. Army Soldier Pleads Guilty to AT&T and Verizon Hacks — Cameron John Wagenius, a 20-year-old U.S. Army soldier, who was arrested early last month over AT&T and Verizon hacking, has pleaded guilty to two counts of unlawful transfer of confidential phone records information in 2024. He faces up to 10 years of prison for each count. Wagenius is believed to have collaborated with Connor Riley Moucka and John Binns, both accused of stealing data from and extorting dozens of companies by breaking into their Snowflake instances.
• Two Estonian Nationals Plead Guilty in $577M Cryptocurrency Fraud Scheme — Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, have pleaded guilty to operating a massive cryptocurrency Ponzi scheme that affected hundreds of thousands of people worldwide, including in the U.S. They agreed to forfeit assets valued over $400 million obtained during the operation. The defendants sold contracts to customers, promising a share of cryptocurrency mined by their service, HashFlare, but did not possess the computing capacity to perform the majority of the mining promised. Potapenko and Turõgin each pleaded guilty to one count of conspiracy to commit wire fraud, facing a maximum penalty of 20 years in prison.
• Thailand Rescues 7,000 People from Myanmar Call Centers — Thailand Prime Minister Paetongtarn Shinawatra said some 7,000 people have been rescued from illegal call center operations in Myanmar and are waiting to be transferred to Thailand. Myanmar, Cambodia, and Laos have become hotspots for illicit romance baiting scams, run by organized cybercrime syndicates and staffed by people trafficked into the region under the promise of high-paying jobs. They are then tortured and enslaved into running scams like romance fraud and fake investment schemes online.
• Sanctioned Entities Fueled $16 Billion in Crypto Activity — Sanctioned entities and jurisdictions were responsible for nearly $115.8 billion in cryptocurrency activity last year, accounting for about 39% of all illicit crypto transactions. The emergence of no-KYC exchanges and the resurgence of Tornado Cash, which has been the target of sanctions and arrests, drive this trend. “The increase in Tornado Cash usage in 2024 was largely driven by stolen funds, which reached a three-year high, accounting for 24.4% of total inflows,” Chainalysis said. Another notable factor is the increasing use of digital currencies by Iranian services for sanctions-related crypto activity, with outflows from Iran reaching $4.18 billion in 2024, up 70% year-over-year.
• U.S. Releases Russian Cybercriminal in Prison Swap — Alexander Vinnik, who pleaded guilty last year to money laundering charges related to operating the BTC-e cryptocurrency exchange, has been handed over by the U.S. government to Russia in exchange for Marc Fogel, a school teacher sentenced to 14 years in prison for drug trafficking charges. Vinnik was originally arrested in Greece in 2017, with his sentencing scheduled for June 2025.
• Black Hat SEO Campaign Targets Indian Sites — Threat actors have infiltrated Indian government, educational, and financial services websites, using malicious JavaScript code that leverages search engine optimization (SEO) poisoning techniques to redirect users to sketchy websites promoting online betting and investment-focused games. “Targets of interest include websites with .gov.in, .ac.in TLDs, and the usage of keyword stuffing mentioning well-known financial brands in India,” CloudSEK said. Over 150 government portals have been affected, with the method of compromise currently unknown.
• Sky ECC Distributors Arrested in Spain, Netherlands — Four distributors of the encrypted communications service Sky ECC, used extensively by criminals, have been arrested in Spain and the Netherlands. The two suspects arrested in Spain are leading global distributors, generating over €13.5 million ($14 million) in profits. In March 2021, Europol announced it could crack open Sky ECC’s encryption, allowing law enforcement to monitor communications and expose criminal activity.
• Italian Spyware Maker Linked to Malicious WhatsApp Clones — An Italian spyware company, SIO, has been attributed to malicious Android apps impersonating WhatsApp and other popular apps, designed to steal private data from a target’s device. The findings demonstrate methods used to deploy invasive software against individuals of interest. The spyware, codenamed Spyrtacus, can steal text messages, chats, contacts, call logs, and images, among others. It’s currently unknown who was targeted with the spyware, with the oldest artifact dating back to 2019 and the most recent sample discovered in mid-October 2024.
• CryptoBytes Unleashes UxCryptor Malware — The financially motivated Russian threat actor CryptoBytes has been linked to a new ransomware called UxCryptor, which uses leaked builders to create and distribute malware. “UxCryptor is part of a broader trend of ransomware families that use leaked builders, making it accessible to less technically skilled malware operators,” the SonicWall Capture Labs threat research team said. The malware is often delivered alongside other malware types and is designed to encrypt files, demanding payment in cryptocurrency for decryption.
• Threat Actors Take a Mere 48 Minutes to Go From Initial Access to Lateral Movement — Cybersecurity company ReliaQuest responded to a manufacturing sector breach involving phishing and data exfiltration, noting the attack achieved a breakout time of just 48 minutes, indicating adversaries are moving faster than defenders can respond. The attack involved email bombing techniques and sending a Microsoft Teams message to trick victims into granting remote access via Quick Assist.
• Russia Plans New Measures to Tackle Cybercrime — The Russian government is said to have approved measures aimed at combating cyber fraud, including tougher punishments, longer prison terms, and strengthening international cooperation by allowing the extradition of criminals hiding abroad to Russia for trial and punishment.

🎥 Expert Webinar

• Webinar 1: Build Resilient Identity: Learn to Reduce Security Debt Before It Costs You — Join our exclusive webinar with Karl Henrik Smith and Adam Boucher as they reveal the Secure Identity Assessment—a roadmap to close identity gaps, cut security debt, and future-proof your defenses in 2025. Learn practical steps to streamline workflows, mitigate risks, and optimize resource allocation, ensuring your organization stays ahead of cyber threats.
• Webinar 2: Transform Your Code Security with One Smart Engine — Join our exclusive webinar with Palo Alto Networks’ Amir Kaushansky to explore ASPM—the unified approach to application security. Learn how merging code insights with runtime data bridges gaps in traditional AppSec, prioritizes risks, and shifts your strategy from reactive patching to proactive prevention.

P.S. Know someone who could use these? Share it.

🔧 Cybersecurity Tools

• Ghidra 11.3 — This update makes your cybersecurity work easier and faster, with built-in Python3 support and new tools to connect source code to binaries, helping you find problems in software quickly. Built by experts at the NSA, it works on Windows, macOS, and Linux, giving you a smart and simple way to tackle even the toughest challenges in reverse engineering.
• RansomWhen — This open-source tool helps protect your data in the cloud by scanning CloudTrail logs to spot unusual activity that might signal a ransomware attack using AWS KMS. By identifying identities with risky permissions, RansomWhen alerts you before an attacker can lock your S3 buckets and hold your data for ransom.

🔒 Tip of the Week

Easy Steps to Supercharge Your Password Manager — In today’s digital world, using an advanced password manager is about creating a secure digital fortress. First, enable two-factor authentication (2FA) for your password manager to ensure that even if someone gets hold of your master password, they’ll need an extra code to gain access. Use the built-in password generator to create long, unique passwords for every account, and regularly run security audits to spot weak or repeated passwords. Take advantage of breach monitoring features that alert you if any of your credentials show up in data breaches. When you need to share a password, use the manager’s secure sharing option to keep the data encrypted.

Conclusion

We’ve seen significant action in the cyber world this week, with criminals facing charges and new scams coming to light. These stories remind us that staying informed is key to online safety. Thanks for joining us, and we look forward to keeping you updated next week.