Welcome to this week’s Cybersecurity News Recap. Discover how cyber attackers are using clever tricks like fake codes and sneaky emails to gain access to sensitive data. We cover everything from device code phishing to cloud exploits, breaking down the technical details into simple, easy-to-follow insights.
⚡ Threat of the Week
Russian Threat Actors Leverage Device Code Phishing to Hack
Welcome to this week’s Cybersecurity News Recap. Discover how cyber attackers are using clever tricks like fake codes and sneaky emails to gain access to sensitive data. We cover everything from device code phishing to cloud exploits, breaking down the technical details into simple, easy-to-follow insights.
⚡ Threat of the Week
Russian Threat Actors Leverage Device Code Phishing to Hack Microsoft Accounts — Microsoft and Volexity have revealed that threat actors with ties to Russia are leveraging a technique known as device code phishing to gain unauthorized access to victim accounts, and use that access to get hold of sensitive data and enable persistent access to the victim environment. At least three different Russia-linked clusters have been identified abusing the technique to date. The attacks entail sending phishing emails that masquerade as Microsoft Teams meeting invitations, which, when clicked, urge the message recipients to authenticate using a threat actor-generated device code, thereby allowing the adversary to hijack the authenticated session using the valid access token.
🔔 Top News
- whoAMI Attack Exploits AWS AMI Name Confusion for Remote Code Execution — A new type of name confusion attack called whoAMI allows anyone who publishes an Amazon Machine Image (AMI) with a specific name to gain code execution within the Amazon Web Services (AWS) account. Datadog, which detailed the attack, said roughly 1% of organizations monitored by the company were affected by the whoAMI, and that it found public examples of code written in Python, Go, Java, Terraform, Pulumi, and Bash shell using the vulnerable criteria. AWS told The Hacker News that there is no evidence of malicious exploitation of the security weakness.
- RansomHub Targets Over 600 Orgs Globally — The RansomHub ransomware operation has targeted over 600 organizations across the world, spanning sectors such as healthcare, finance, government, and critical infrastructure, making it one of the most active cybercrime groups in 2024. One such attack has been found to weaponize now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network’s domain controller as part of their post-compromise strategy.
- REF7707 Uses Outlook Drafts for Command-and-Control — A previously undocumented threat activity cluster dubbed REF7707 has been observed using a remote administration tool named FINALDRAFT that parses commands stored in the mailbox’s drafts folder and writes the results of the execution into new draft emails for each command. It makes use of the Outlook email service via the Microsoft Graph API for command-and-control (C2) purposes. The group has been observed targeting the foreign ministry of an unnamed South American nation, as well as a telecommunications entity and a university, both located in Southeast Asia.
- Kimsuky Embraces ClickFix-Style Attack Strategy — The North Korean threat actor known as Kimsuky (aka Black Banshee) is using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them. “To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an [sic] PDF attachment,” Microsoft said. Users are then convinced to click on a URL, urging them to register their device in order to read the PDF attachment. The end goal of the attack is to establish a data communication mechanism that allows the adversary to exfiltrate data.
- Law Enforcement Op Takes Down 8Base — A consortium of law enforcement agencies has arrested four Russian nationals and seized over 100 servers linked to the 8Base ransomware gang. The arrests were made in Thailand. Two of the suspects are accused of operating a cybercrime group that used Phobos ransomware to victimize more than 1,000 public and private entities in the country and across the world. The development comes in the aftermath of a series of high-profile ransomware disruptions associated with Hive, LockBit, and BlackCat in recent years. Late last year, Evgenii Ptitsyn, a 42-year-old Russian national believed to be the administrator of the Phobos ransomware, was extradited to the U.S.
️🔥 Trending CVEs
Your go-to software could be hiding dangerous security flaws—don’t wait until it’s too late! Update now and stay ahead of the threats before they catch you off guard.
This week’s list includes — CVE-2025-1094 (PostgreSQL), CVE-2025-0108 (Palo Alto Networks PAN-OS), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-21391 (Microsoft Windows Storage), CVE-2025-21418 (Microsoft Windows Ancillary Function Driver for WinSock), CVE-2024-38657, CVE-2025-22467, CVE-2024-10644 (Ivanti Connect Secure), CVE-2024-47908 (Ivanti Cloud Services Application), CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, CVE-2024-56135 (Progress Kemp LoadMaster), CVE-2025-24200 (Apple iOS and iPadOS), CVE-2024-12797 (OpenSSL), CVE-2025-21298 (Microsoft Windows OLE), CVE-2025-1240 (WinZip), CVE-2024-32838 (Apache Fineract), CVE-2024-52577 (Apache Ignite), CVE-2025-26793 (Hirsch Enterphone MESH), CVE-2024-12562 (s2Member Pro plugin), CVE-2024-13513 (Oliver POS – A WooCommerce Point of Sale (POS) plugin), CVE-2025-26506 (HP LaserJet), CVE-2025-22896, CVE-2025-25067, CVE-2025-24865 (mySCADA myPRO Manager), CVE-2024-13182 (WP Directorybox Manager plugin), CVE-2024-10763 (Campress theme), CVE-2024-7102 (GitLab CE/EE), CVE-2024-12213 (WP Job Board Pro plugin), CVE-2024-13365 (Security & Malware scan by CleanTalk plugin), CVE-2024-13421 (Real Estate 7 theme), and CVE-2025-1126 (Lexmark Print Management Client).
📰 Around the Cyber World
- Former Google Engineer Charged with Plan to Steal Trade Secrets — Linwei Ding, a former Google engineer who was arrested last March for transferring “sensitive Google trade secrets and other confidential information from Google’s network to his personal account,” has now been charged with seven counts of economic espionage and seven counts of theft of trade secrets related to the company’s AI technology between 2022 and 2023. This included detailed information about the architecture and functionality of Google’s Tensor Processing Unit (TPU) chips and systems and Graphics Processing Unit (GPU) systems, the software that allows the chips to communicate and execute tasks, and the software that orchestrates thousands of chips into a supercomputer capable of training and executing cutting-edge AI workloads. The trade secrets also relate to Google’s custom-designed SmartNIC, a type of network interface card used to enhance Google’s GPU, high performance, and cloud networking products. “Ding intended to benefit the PRC government by stealing trade secrets from Google,” the U.S. Department of Justice said. “Ding allegedly stole technology relating to the hardware infrastructure and software platform that allows Google’s supercomputing data center to train and serve large AI models.” The superseding indictment also stated that Chinese-sponsored talent programs incentivize individuals engaged in research and development outside the country to transmit such information in exchange for salaries, research funds, lab space, or other incentives. If convicted, Ding faces a maximum penalty of 10 years in prison and up to a $250,000 fine for each trade-secret count and 15 years in prison and a $5,000,000 fine for each economic espionage count.
- Windows UI Flaw Exploited by Mustang Panda — Israeli cybersecurity company ClearSky has warned that a suspected Chinese nation-state group known as Mustang Panda is actively exploiting a UI vulnerability in Microsoft Windows. “When files are extracted from compressed ‘RAR’ files they are hidden from the user,” the company said. “If the compressed files are extracted into a folder, the folder appears empty in the Windows Explorer GUI. When using the ‘dir’ command to list all files and folders inside the target folder, the extracted files and folders are ‘invisible/hidden’ to the user. Threat actors or users can also execute those compressed files from a command line prompt, if they know the exact path. As a result of executing ‘attrib -s -h’ to system protected files, an unknown file type is created from the type ‘Unknown’ ActiveX component.” It’s currently not clear who are the targets of the attack, and what the end goals of the campaign are.
- Meta Paid Over $2.3M in Bug Bounty Rewards in 2024 — Meta said it paid out more than $2.3 million in rewards to nearly 200 security researchers as part of its bug bounty program in 2024. In total, the company has handed out more than $20 million since the creation of the program in 2011. The top three countries based on bounties awarded in 2024 are India, Nepal, and the United States.
- Critical ThinkPHP and OwnCloud Flaws Under Active Exploitation — Threat actors are attempting to actively exploit two known security vulnerabilities impacting ThinkPHP (CVE-2022-47945, CVSS score: 9.8) and OwnCloud (CVE-2023-49103, CVSS score: 10.0) over the past few days, with attacks originating from hundreds of unique IP addresses, most of which are based in Germany, China, the U.S., Singapore, Hong Kong, the Netherlands, the U.K., and Canada. Organizations are recommended to apply the necessary patches (ThinkPHP to 6.0.14+ and ownCloud GraphAPI to 0.3.1+) and restrict access to reduce the attack surface.
- FSB Mole Arrested in Ukraine — The Secret Service of Ukraine (SSU) said it had detained one of its own high-level officials, accusing them of acting as a mole for Russia. The individual, one of the officials of the SSU Counterterrorism Center, is alleged to have been recruited by Russia’s Federal Security Service (FSB) in Vienna in 2018, and actively began engaging in espionage at the end of December last year, transmitting documents containing state secrets, to the intelligence agency via a “special mobile phone.” The SSU, upon learning of the man’s actions, said it “used him in a counterintelligence ‘game’: through the traitor the SSU fed the enemy a large amount of disinformation.” The individual’s name was not disclosed, but the Kyiv Independent said it’s Colonel Dmytro Kozyura, citing unnamed SSU sources.
- LLMjacking Hits DeepSeek — Malicious actors have been observed capitalizing on the popularity of AI chatbot platform DeepSeek to conduct what’s called LLMjacking attacks that involve selling the access obtained to legitimate cloud environments to other actors for a price. These attacks involve the use of stolen credentials to allow access to machine learning services via the OpenAI Reverse Proxy (ORP), which acts as a reverse proxy server for LLMs of various providers. The ORP operators hide their IP addresses using TryCloudflare tunnels. Ultimately, the illicit LLM access is used to generate NSFW content, and malicious scripts, and even circumvent bans on ChatGPT in countries like China and Russia, where the service is blocked. “Cloud-based LLM usage costs can be staggering, surpassing several hundreds of thousands of dollars monthly,” Sysdig said. “The high cost of LLMs is the reason cybercriminals choose to steal credentials rather than pay for LLM services. Due to steep costs, a black market for access has developed around OAI Reverse Proxies — and underground service providers have risen to meet the needs of consumers.”
- Romance Baiting Scams Jump 40% YoY — Pig butchering scams, also called romance baiting, have accounted for 33.2% of the estimated $9.9 billion revenue earned by cybercriminals in 2024 from cryptocurrency scams, growing nearly 40% year-over-year. However, the average deposit amount to pig butchering scams declined 55% YoY, likely indicating a shift in how these scams are conducted. “Pig butchering scammers have also evolved to diversify their business model beyond the ‘long con’ of pig butchering scams — which can take months and even years of developing a relationship before receiving victim payments — to quicker turnaround employment or work-from-home scams that typically yield smaller victim deposits,” Chainalysis said. Further analysis of on-chain activity has found that HuiOne Guarantee is heavily used for illicit crypto-based activities supporting the pig butchering industry in Southeast Asia. Scammers have also been observed using generative AI technology to facilitate crypto scams, often to impersonate others or generate realistic content.
- Security Issues in RedNote Flagged — It’s not just DeepSeek. A new network security analysis undertaken by the Citizen Lab has uncovered multiple issues in RedNote’s (aka Xiaohongshu) Android and iOS apps. This includes fetching viewed images and videos over HTTP, transmitting insufficiently encrypted device metadata, as well as a vulnerability that enables network attackers to learn the contents of any files that RedNote has permission to read on the users’ devices. While the second vulnerability was introduced by an upstream analytics SDK, MobTech, the third issue was introduced by NEXTDATA. As of writing, all the flaws remain unpatched. The vulnerabilities “could enable surveillance by any government or ISP, and not just the Chinese government,” the Citizen Lab said.
- CISA Urges Orgs to Address Buffer Overflows — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a Secure by Design Alert, urging organizations to eliminate buffer overflow vulnerabilities in software. “These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution,” the agencies said, labeling them as unforgivable defects. “Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network.” Saeed Abbasi, manager of vulnerability research at Qualys Threat Research Unit (TRU), emphasized the need to switch from memory unsafe languages. “Legacy excuses are out; the world has zero tolerance for memory-unsafe code in 2025,” Abbasi said. “Yes, rewriting old systems is daunting, but letting attackers exploit decades-old buffer overflows is worse. Organizations still clinging to unsafe languages risk turning minor vulnerabilities into massive breaches—and they can’t claim surprise. We’ve had proven fixes for ages: phased transitions to Rust or other memory-safe options, compiler-level safeguards, thorough adversarial testing, and public commitments to a secure-by-design roadmap. The real challenge is collective will: leadership must demand memory-safe transitions, and software buyers must hold vendors accountable.”
- Foreign Adversaries Target Local Communities in the U.S. for Influence Ops — A new report from the Alliance for Securing Democracy (ASD) has found that foreign nation-state actors from Russia, China, and Iran are running influence operations that exploit trust in local sources and impact state and local communities in the U.S. with an aim to manipulate public opinion, stoke discord, and undermine democratic institutions. “In some cases, adversarial nations seek favorable outcomes around local policy issues; in others, they use local debates as Trojan horses to advance their broader geopolitical agendas,” the research said. Russia emerged as the most active threat actor, with 26 documented cases designed to polarize Americans through themes related to immigration and election integrity. Beijing, on the other hand, sought to cultivate support for Chinese state interests.
- Financial Orgs Asked to Switch to Quantum-Safe Cryptography — Europol is urging financial institutions and policymakers to transition to quantum-safe cryptography, citing an “imminent” threat to cryptographic security due to the rapid advancement of quantum computing. The primary risk is that threat actors could steal encrypted data today with the intention of decrypting it in the future using quantum computing, a technique called “harvest now, decrypt later” or retrospective decryption. “A sufficiently advanced quantum computer has the potential to break widely used public-key cryptographic algorithms, endangering the confidentiality of financial transactions, authentication processes, and digital contracts,” the agency said. “While estimates suggest that quantum computers capable of such threats could emerge within the next 10 to 15 years, the time required to transition away from vulnerable cryptographic methods is significant. A successful transition to post-quantum cryptography requires collaboration among financial institutions, technology providers, policymakers, and regulators.” Last year, the U.S. National Institute of Standards and Technology (NIST) formally announced the first three “quantum-safe” algorithms.
- Google Addresses High Impact Flaws — Google has addressed a pair of security flaws that could be chained by malicious actors to unmask the email address of any YouTube channel owner’s email address. The first of the two is a vulnerability identified in a YouTube API that could leak a user’s GAIA ID, a unique identifier used by Google to manage accounts across its network of sites. This ID could then be fed as input to an outdated web API associated with Pixel Recorder to convert it into an email when sharing a recording. Following responsible disclosure on September 24, 2024, the issues were resolved as of February 9, 2025. There is no evidence that these shortcomings were ever abused in the wild.
- New DoJ Actions Target Crypto Fraud — Eric Council Jr., 25, of Alabama, has pleaded guilty to charges related to the January 2024 hacking of the U.S. Securities and Exchange Commission’s (SEC) X account. The account was taken over to falsely announce that the SEC approved BTC Exchange Traded Funds, causing a spike in the price of bitcoin. The attack was carried out through an unauthorized Subscriber Identity Module (SIM) swap carried out by the defendant, tricking a mobile phone provider store to reassign the victim’s phone number to a SIM card in their possession using a fraudulent identity card printed using an ID card printer. Council, who was arrested in December 2024, pleaded guilty to conspiracy to commit aggravated identity theft and access device fraud. If convicted, he faces a maximum penalty of five years in prison. In a related development, a 22-year-old man from Indiana, Evan Frederick Light, was sentenced to 20 years in federal prison for running a massive cryptocurrency theft scheme from his mother’s basement. Light broke into an investment holdings company in South Dakota in February 2022, stealing customers’ personal data and cryptocurrency worth over $37 million from nearly 600 victims. The stolen cryptocurrency was then funneled to various locations throughout the world, including several mixing services and gambling websites to conceal his identity and to hide the virtual currency. Separately, the Justice Department has also charged Canadian national Andean Medjedovic, 22, for exploiting smart contract vulnerabilities in two decentralized finance crypto platforms, KyberSwap and Indexed Finance, to fraudulently obtain about $65 million from the protocols’ investors between 2021 and 2023. A master’s degree holder in mathematics from the University of Waterloo, Medjedovic is also alleged to have laundered the proceeds through mixers and bridge transactions in an attempt to conceal the source and ownership of the funds. Medjedovic is charged with one count of wire fraud, one count of unauthorized damage to a protected computer, one count of attempted Hobbs Act extortion, one count of money laundering conspiracy, and one count of money laundering. He faces over 30 years in prison.
- U.S. Lawmakers Warn Against U.K. Order for Backdoor to Apple Data— After reports emerged that security officials in the U.K. have ordered Apple to create a backdoor to access any Apple user’s iCloud content, U.S. Senator Ron Wyden and Member of Congress Andy Biggs have sent a letter to Tulsi Gabbard, the Director of National Intelligence, urging the U.K. to retract its order, citing it threatens the “privacy and security of both the American people and the U.S. government. “If the U.K. does not immediately reverse this dangerous effort, we urge you to reevaluate U.S.-U.K. cybersecurity arrangements and programs as well as U.S. intelligence sharing with the U.K.,” they added. The purported Apple backdoor request would reportedly allow authorities to access data currently secured by Advanced Data Protection, potentially affecting users worldwide. Wyden has also released a draft version of the Global Trust in American Online Services Act that seeks to “secure Americans’ communications against abusive foreign demands to weaken the security of communications services and software used by Americans.” While the security experts have criticized the order, British officials have neither confirmed nor denied it.
🎥 Cybersecurity Webinars
- Webinar 1: From Code to Runtime: Transform Your App Security — Join our webinar with Amir Kaushansky from Palo Alto Networks and see how ASPM can change your app security. Learn how to connect code details with live data to fix gaps before they become risks. Discover smart, proactive ways to protect your applications in real-time.
- Webinar 2: From Debt to Defense: Fix Identity Gaps Fast — Join our free webinar with experts Karl Henrik Smith and Adam Boucher as they show you how to spot and close identity gaps with Okta’s Secure Identity Assessment. Learn simple steps to streamline your security process, focus on key fixes, and build a stronger defense against threats.
P.S. Know someone who could use these? Share it.
🔧 Cybersecurity Tools
- WPProbe — It’s a fast WordPress plugin scanner that uses REST API enumeration to stealthily detect installed plugins without brute force, scanning by querying exposed endpoints and matching them against a precompiled database of over 900 plugins. It even maps detected plugins to known vulnerabilities (CVE) and outputs results in CSV or JSON format, making your scans both speedy and less likely to trigger security defenses.
- BruteShark — It’s a powerful and user-friendly Network Forensic Analysis Tool built for security researchers and network administrators. It digs deep into PCAP files or live network captures to extract passwords, rebuild TCP sessions, map your network visually, and even convert password hashes for offline brute force testing with Hashcat. Available as a Windows GUI or a versatile CLI for Windows and Linux.
🔒 Tip of the Week
Segment Your Wi-Fi Network for Better Protection — In today’s smart home, you likely have many connected devices—from laptops and smartphones to smart TVs and various IoT gadgets. When all these devices share the same Wi‑Fi network, a breach in one device could potentially put your entire network at risk. Home network segmentation helps protect you by dividing your network into separate parts, similar to how large businesses isolate sensitive information.
To set this up, use your router’s guest network or VLAN features to create different SSIDs, such as “Home_Private” for personal devices and “Home_IoT” for smart gadgets. Ensure each network uses strong encryption (WPA3 or WPA2) with unique passwords, and configure your router so devices on one network cannot communicate with those on another. Test your setup by connecting your devices accordingly and verifying that cross-network traffic is blocked, then periodically check your router’s dashboard to keep the configuration working smoothly.
Conclusion
That wraps up this week’s cybersecurity news. We’ve covered a broad range of stories—from the case of a former Google engineer charged with stealing key AI secrets to hackers taking advantage of a Windows user interface flaw. We’ve also seen how cybercriminals are moving into new areas like AI misuse and cryptocurrency scams, while law enforcement and industry experts work hard to catch up.
These headlines remind us that cyber threats come in many forms, and every day, new risks emerge that can affect everyone from large organizations to individual users. Keep an eye on these developments and take steps to protect your digital life. Thank you for joining us, and we look forward to keeping you informed next week.
