February 17, 2025Ravie LakshmananCyber Threats / Cybersecurity

Welcome to our weekly cybersecurity news recap, where we delve into the latest threats and trends in the world of cybersecurity. This week, we’re focusing on the increasing use of clever tricks by cyber attackers to gain access to sensitive information. From device code phishing to cloud exploits, we’ll break down the technical details and provide you with easy-to-follow insights.

⚡ Threat of the Week

Russian Threat Actors Utilize Device Code Phishing to Compromise Microsoft Accounts — In a recent revelation, Microsoft and Volexity have exposed a technique employed by Russian threat actors to gain unauthorized access to victim accounts, enabling them to obtain sensitive data and establish persistent access to the target environment. At least three Russia-linked clusters have been identified as abusing this technique, which involves sending phishing emails masquerading as Microsoft Teams meeting invitations. These emails prompt recipients to authenticate using a threat actor-generated device code, allowing the adversary to hijack the authenticated session using a valid access token.

🔔 Top News

• whoAMI Attack Exploits AWS AMI Name Confusion for Remote Code Execution — A newly discovered attack, dubbed whoAMI, leverages Amazon Machine Image (AMI) name confusion to achieve remote code execution within Amazon Web Services (AWS) accounts. Datadog, which disclosed the attack, reported that approximately 1% of organizations monitored by the company were affected, with public examples of vulnerable code found in Python, Go, Java, Terraform, Pulumi, and Bash shell. Although AWS stated that there is no evidence of malicious exploitation, the vulnerability highlights the need for vigilance in securing AWS accounts.
• RansomHub Targets Over 600 Organizations Globally — The RansomHub ransomware operation has targeted over 600 organizations worldwide, spanning sectors such as healthcare, finance, government, and critical infrastructure, making it one of the most active cybercrime groups in 2024. In one notable attack, the group exploited now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network’s domain controller as part of their post-compromise strategy.
• REF7707 Employs Outlook Drafts for Command-and-Control — A previously undocumented threat activity cluster, dubbed REF7707, has been observed utilizing a remote administration tool named FINALDRAFT. This tool parses commands stored in the mailbox’s drafts folder and writes the results of execution into new draft emails for each command. REF7707 leverages the Microsoft Graph API for command-and-control (C2) purposes, targeting the foreign ministry of an unnamed South American nation, as well as a telecommunications entity and a university in Southeast Asia.
• Kimsuky Adopts ClickFix-Style Attack Strategy — The North Korean threat actor known as Kimsuky (aka Black Banshee) has adopted a new tactic involving deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by the threat actor. This attack strategy aims to establish a data communication mechanism that enables the adversary to exfiltrate data.
• Law Enforcement Operation Takes Down 8Base — A consortium of law enforcement agencies has arrested four Russian nationals and seized over 100 servers linked to the 8Base ransomware gang in Thailand. Two of the suspects are accused of operating a cybercrime group that used Phobos ransomware to victimize over 1,000 public and private entities worldwide.

‎️‍🔥 Trending CVEs

It’s essential to stay up-to-date with the latest security flaws in your software, as they can pose significant risks to your digital security. This week’s list includes — CVE-2025-1094 (PostgreSQL), CVE-2025-0108 (Palo Alto Networks PAN-OS), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-21391 (Microsoft Windows Storage), and CVE-2025-21418 (Microsoft Windows Ancillary Function Driver for WinSock), among others. Ensure you update your software to protect against these vulnerabilities.

📰 Around the Cyber World

• Former Google Engineer Charged with Stealing Trade Secrets — Linwei Ding, a former Google engineer, has been charged with seven counts of economic espionage and seven counts of theft of trade secrets related to Google’s AI technology. The stolen trade secrets include detailed information about Google’s Tensor Processing Unit (TPU) chips and systems, as well as the software that enables the chips to communicate and execute tasks.
• Windows UI Flaw Exploited by Mustang Panda — The suspected Chinese nation-state group, Mustang Panda, is actively exploiting a UI vulnerability in Microsoft Windows. This vulnerability allows threat actors to hide files extracted from compressed ‘RAR’ files, making them invisible to users.
• Meta Paid Over $2.3M in Bug Bounty Rewards in 2024 — Meta announced that it paid out over $2.3 million in rewards to nearly 200 security researchers as part of its bug bounty program in 2024. The top three countries based on bounties awarded in 2024 are India, Nepal, and the United States.
• Critical ThinkPHP and OwnCloud Flaws Under Active Exploitation — Threat actors are actively exploiting two known security vulnerabilities impacting ThinkPHP and OwnCloud. Organizations are recommended to apply the necessary patches to reduce the attack surface.
• FSB Mole Arrested in Ukraine — The Secret Service of Ukraine (SSU) detained one of its own high-level officials, accusing them of acting as a mole for Russia. The individual allegedly transmitted documents containing state secrets to the Russian intelligence agency via a special mobile phone.
• LLMjacking Hits DeepSeek — Malicious actors have been observed capitalizing on the popularity of AI chatbot platform DeepSeek to conduct LLMjacking attacks. These attacks involve selling access obtained to legitimate cloud environments to other actors for a price.
• Romance Baiting Scams Jump 40% YoY — Pig butchering scams, also known as romance baiting, have accounted for 33.2% of the estimated $9.9 billion revenue earned by cybercriminals in 2024 from cryptocurrency scams. The average deposit amount to pig butchering scams declined 55% YoY, indicating a shift in how these scams are conducted.
• Security Issues in RedNote Flagged — A new network security analysis has uncovered multiple issues in RedNote’s Android and iOS apps, including insufficient encryption of device metadata and a vulnerability that enables network attackers to learn the contents of any files that RedNote has permission to read on users’ devices.
• CISA Urges Organizations to Address Buffer Overflows — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a Secure by Design Alert, urging organizations to eliminate buffer overflow vulnerabilities in software. These vulnerabilities can lead to data corruption, sensitive data exposure, and unauthorized code execution.
• Foreign Adversaries Target Local Communities in the U.S. for Influence Ops — A new report from the Alliance for Securing Democracy (ASD) has found that foreign nation-state actors from Russia, China, and Iran are running influence operations that exploit trust in local sources and impact state and local communities in the U.S. to manipulate public opinion and undermine democratic institutions.
• Financial Organizations Asked to Switch to Quantum-Safe Cryptography — Europol is urging financial institutions and policymakers to transition to quantum-safe cryptography, citing an “imminent” threat to cryptographic security due to the rapid advancement of quantum computing.
• Google Addresses High Impact Flaws — Google has addressed a pair of security flaws that could be chained by malicious actors to unmask the email address of any YouTube channel owner. The issues were resolved as of February 9, 2025, with no evidence of exploitation in the wild.
• New DoJ Actions Target Crypto Fraud — The U.S. Department of Justice has taken action against individuals involved in cryptocurrency scams, including a 25-year-old Alabama man who pleaded guilty to charges related to the hacking of the U.S. Securities and Exchange Commission’s (SEC) X account.
• U.S. Lawmakers Warn Against U.K. Order for Backdoor to Apple Data — U.S. Senator Ron Wyden and Member of Congress Andy Biggs have sent a letter to Tulsi Gabbard, the Director of National Intelligence, urging the U.K. to retract its order for Apple to create a backdoor to access any Apple user’s iCloud content, citing threats to the privacy and security of both the American people and the U.S. government.

🎥 Cybersecurity Webinars

• Webinar 1: From Code to Runtime: Transform Your App Security — Join our webinar with Amir Kaushansky from Palo Alto Networks to learn how to connect code details with live data to fix gaps before they become risks.
• Webinar 2: From Debt to Defense: Fix Identity Gaps Fast — Join our free webinar with experts Karl Henrik Smith and Adam Boucher to learn how to spot and close identity gaps with Okta’s Secure Identity Assessment.

P.S. Know someone who could use these? Share it.

🔧 Cybersecurity Tools

• WPProbe — A fast WordPress plugin scanner that uses REST API enumeration to detect installed plugins without brute force, scanning by querying exposed endpoints and matching them against a precompiled database of over 900 plugins.
• BruteShark — A powerful and user-friendly Network Forensic Analysis Tool built for security researchers and network administrators, capable of extracting passwords, rebuilding TCP sessions, and mapping your network visually.

🔒 Tip of the Week

Segment Your Wi-Fi Network for Better Protection — To protect your home network from potential breaches, consider segmenting your Wi-Fi network by dividing it into separate parts, similar to how large businesses isolate sensitive information. Use your router’s guest network or VLAN features to create different SSIDs, such as “Home_Private” for personal devices and “Home_IoT” for smart gadgets.

Ensure each network uses strong encryption (WPA3 or WPA2) with unique passwords, and configure your router so devices on one network cannot communicate with those on another. Test your setup by connecting your devices accordingly and verifying that cross-network traffic is blocked, then periodically check your router’s dashboard to keep the configuration working smoothly.

Conclusion

This concludes our weekly cybersecurity news recap. We’ve covered a broad range of stories, from the case of a former Google engineer charged with stealing key AI secrets to hackers taking advantage of a Windows user interface flaw. These headlines remind us that cyber threats come in many forms, and every day, new risks emerge that can affect everyone from large organizations to individual users. Stay informed and take steps to protect your digital life.

Thank you for joining us, and we look forward to keeping you informed next week.