Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists

Mar 03, 2025Ravie Lakshmanan

This week, a 23-year-old Serbian activist found themselves at the crossroads of digital danger when a sneaky zero-day exploit turned their Android device into a target. Meanwhile, Microsoft pulled back the curtain on a scheme where cybercriminals used AI tools for harmful pranks, and a massive trove of live secrets was discovered, reminding us that even the tools we rely on can hide risky surprises.

We’ve sifted through a storm of cyber threats—from phishing scams to malware attacks—and broken down what it means for you in clear, everyday language. Get ready to dive into the details, understand the risks, and learn how to protect yourself in an increasingly unpredictable online world.

⚡ Threat of the Week

Serbian Youth Activist Targeted by Android 0-Day Exploit Chain — A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit chain developed by Cellebrite to unlock the device and likely deploy an Android spyware called NoviSpy. The flaws combined CVE-2024-53104 with CVE-2024-53197 and CVE-2024-50302 to escalate privileges and achieve code execution. The vulnerabilities, originally present within the Linux kernel, were addressed in December 2024. CVE-2024-53104 has since been addressed in Android as of early February 2025. In response to the development, Cellebrite said it will no longer allow Serbia to use its software, stating “we found it appropriate to stop the use of our products by the relevant customers at this time.”

🔔 Top News

• Microsoft Unmasks People Behind LLMjacking Scheme — Microsoft revealed the identities of four individuals who it said were behind an Azure Abuse Enterprise scheme that involves leveraging unauthorized access to generative artificial intelligence (GenAI) services in order to produce offensive and harmful content. The campaign, also referred to as LLMjacking, has targeted various AI service providers, with the threat actors selling the access to other criminal actors to facilitate the illicit generation of non-consensual intimate images of celebrities and other sexually explicit content in violation of its policies.
• Common Crawl Dataset Contains Nearly 12,000 Live Secrets — An analysis of a December 2024 archive from Common Crawl has uncovered nearly 12,000 live secrets, once again highlighting how hard-coded credentials pose a severe security risk to users and organizations alike. Furthermore, they also have the unintended side effect of exacerbating a problem where large language models (LLMs) end up suggesting insecure coding practices to their users due to the presence of hard-coded credentials in training data.
• Silver Fox APT Uses Winos 4.0 to Target Taiwanese Orgs — Taiwanese companies have been targeted via phishing emails that masquerade as the country’s National Taxation Bureau with an aim to deliver the Winos 4.0 (aka ValleyRAT) malware. Winos, derived from Gh0st RAT, is a modular malware framework that acts both as a remote access trojan and a command-and-control (C2) framework. The malware has also been propagated via trojanized installers for Philips DICOM viewers. A majority of these artifacts have been detected in the United States and Canada, indicating a possible expansion of the Silver Fox APT’s targeting to new regions and sectors.
• Australia Bans Kaspersky Products from Government Networks — Australia has become the latest country to ban the installation of security software from Russian company Kaspersky, citing “unacceptable security risk to Australian Government, networks and data.” Under the new directive, government entities are prohibited from installing Kaspersky’s products and web services on government systems and devices effective April 1, 2025. They have also been recommended to remove all existing instances by the cutoff date.
• Bybit Hack Formally Attributed to Lazarus Group — The North Korea-linked Lazarus Group has been implicated in the record-breaking hack of crypto exchange Bybit that led to the theft of $1.5 billion in digital assets. The attack has been attributed to a threat cluster dubbed TraderTraitor, which was previously behind the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024. Further investigation has found that the hack was carried out by compromising one of the developer’s machines associated with multisig wallet platform Safe{Wallet} which affected an account operated by Bybit. “The Bybit attack mirrors North Korea’s established tactics of targeting centralized crypto exchanges through methods such as phishing, supply chain compromises, and private key theft-strategies,” TRM Labs said. An infrastructure analysis has also found that the threat actors registered a fake domain named bybit-assessment[.]com a few hours before the theft took place. Silent Push, which discovered the domain, told The Hacker News it found no information to tie the bogus domain to the actual hack itself. It’s believed that the domain may have been set up as part of another related campaign codenamed Contagious Interview. The company also noted that the threat actors behind the Contagious Interview campaign are actively targeting various cryptocurrency companies such as Stripe, Coinbase, Binance, Block, Ripple, Robinhood, Tether, Circle, Kraken, Gemini, Polygon, Chainalysis, KuCoin, eToro, Bitstamp, Bitfinex, Gate.io, Pantera Capital, Galaxy, Bitwise Asset Management, Bitwise Investments, BingX, Gauntlet, XY Labs, YouHodler, MatChain, Bemo, Barrowwise, Bondex, Halliday, Holidu, Hyphen Connect, and Windranger. “Anyone applying for a job at one of these companies should be on the lookout for suspicious job offers or suspicious interview tactics,” the company added.

‎️‍🔥 Trending CVEs

Your go-to software could be hiding dangerous security flaws—don’t wait until it’s too late! Update now and stay ahead of the threats before they catch you off guard.

This week’s list includes — CVE-2025-27364 (MITRE Caldera), CVE-2025-24752 (Essential Addons for Elementor plugin), CVE-2025-27090 (Sliver), CVE-2024-34331 and its bypass (Parallels Desktop), CVE-2025-0690 (GRUB2), CVE-2024-12084, CVE-2024-12085,CVE-2024-12086, CVE-2024-12087, CVE-2024-12088 (RSync), CVE-2025-0475, CVE-2025-0555 (GitLab), CVE-2025-20111 (Cisco Nexus 3000 and 9000 Series Switches), CVE-2025-23363 (Siemens Teamcenter), CVE-2025-0514 (CVE-2025-0514), CVE-2025-1564 (SetSail Membership plugin), CVE-2025-1671 (Academist Membership plugin), CVE-2025-1638 (Alloggio Membership plugin), CVE-2024-12824 (Nokri – Job Board WordPress Theme theme), CVE-2024-9193 (WHMpress – WHMCS WordPress Integration Plugin plugin), CVE-2024-8420 (DHVC Form plugin), CVE-2024-8425 (WooCommerce Ultimate Gift Card plugin), CVE-2025-25570 (Vue Vben Admin), CVE-2025-26943 (Jürgen Müller Easy Quotes plugin), and CVE-2025-1128 (Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin).

📰 Around the Cyber World

• Qualcomm and Google Announce Security Partnership — Chipmaker Qualcomm announced a partnership with Google with an aim to enable device manufacturers to provide up to eight years of software and security updates. “Starting with Android smartphones running on the Snapdragon 8 Elite Mobile Platform, Qualcomm Technologies now offers device manufacturers the ability to provide support for up to eight consecutive years of Android software and security updates,” the company said. “Smartphones launching on new Snapdragon 8 and 7-series mobile platforms will also be eligible to receive this extended support.” The eight-year pledge, however, only applies to devices using Arm-compatible Snapdragon 8 Elite chips and running Android 15, as well as future iterations of the Snapdragon 8 and 7-series.
• Microsoft Removes 2 Malicious VSCode Extensions — Microsoft has taken down two popular VSCode extensions, ‘Material Theme – Free’ and ‘Material Theme Icons – Free,’ from the Visual Studio Marketplace for allegedly containing malicious code. The two extensions have been downloaded nearly 9 million times cumulatively. It’s believed that the malicious code was introduced in an update to the extensions, indicating either a supply chain attack or a compromise of the developer’s account. Microsoft said it also banned the developer, who claimed the issues are caused by outdated Sanity.io dependency that “looks compromised.” Another developer commented: “After being targeted for a removal, the reasonable, good faith action that the developer should have taken would be to reach out to the VS Code team, putting himself at their disposal to address any issues they have identified. Instead, he created multiple different accounts in order to submit the same extensions in an attempt to circumvent the restrictions, and implicated the VS Code devs in a conspiracy to personally censor him.”
• Over 49,000 Misconfigured Access Management Systems Flagged — New research has uncovered more than 49,000 misconfigured access management systems (AMS) across the world, specifically in construction, healthcare, education, manufacturing, oil, and government sectors. These misconfigurations expose personal data, employee photographs, biometric data, work schedules, payslips, and other sensitive information. They could also be abused to access buildings and compromise physical security. Italy, Mexico, and Vietnam have emerged as the top countries with the most exposures. “These misconfigurations exposed highly sensitive personal information, including employee photographs, full names, identification numbers, access card details, biometric data, vehicle plate numbers, and in some cases, even complete work schedules and facility access histories,” Modat said. “Particularly concerning was the discovery of exposed biometric templates and facial recognition data in several modern access control systems, which could pose serious privacy risks if accessed by malicious actors.”
• Telegram Remains the Top Platform for Cybercriminals — Despite new commitments from Telegram, the messaging app continues to remain a hub for cybercriminal activity. Some of the other platforms that are gaining traction, according to Flare.io, include Discord, Signal, TOX, Session, and Element/Matrix. While Discord invite links were primarily found on forums like Nulled, Cracked, VeryLeaks, and DemonForums, Matrix and Element protocol based IDs were mainly found on drugs focused forums like RuTOR, RCclub, and BigBro. TOX and Jabber IDs were predominantly shared on XSS, CrdPro, BreachForums, and Exploit forums. “Increased cooperation between Telegram and law enforcement has prompted discussions about alternative platforms, with Signal showing the most significant growth,” the company said. “Other messaging apps like Discord, TOX, Matrix, and Session play niche roles, often tied to specific cybercriminal activities or communities. Many threat actors use multiple messaging apps to ensure accessibility and redundancy in their communications.”
• OpenSSF Releases Best Practices for Open-Source Projects — The Open Source Security Foundation (OpenSSF) released the Open Source Project Security Baseline (OSPS Baseline), a three-tiered set of requirements that aims to improve the security posture of open source software projects. “The OSPS Baseline offers a tiered framework of security practices that evolve with project maturity. It compiles existing guidance from OpenSSF and other expert groups, outlining tasks, processes, artifacts, and configurations that enhance software development and consumption security,” the OpenSSF said. “By adhering to the Baseline, developers can lay a foundation that supports compliance with global cybersecurity regulations, such as the E.U. Cyber Resilience Act (CRA) and U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF).” The development comes as Google issued calls for standardizing memory safety by “establishing a common framework for specifying and objectively assessing memory safety assurances.”
• MITRE Releases OCCULT Framework — The MITRE Corporation has detailed a lightweight operational evaluation framework called OCCULT that allows cyber security experts to quantify the possible risks associated with a large language model (LLM) used in offensive cyber operations. “The OCCULT objective is ultimately about understanding the cyber operation capacity of an AI system, and quantifying performance in these dimensions of cyber reasoning can provide insight into that,” MITRE said.
• Michigan Man Indicted on Wire Fraud and Aggravated Identity Theft Charges — Andrew Shenkosky, a 29-year-old man from the U.S. state of Michigan, has been indicted on wire fraud and aggravated identity theft charges after purchasing 2,468 stolen login credentials from the dark web marketplace Genesis Market and using them to make fraudulent financial transactions. Shenkosky is also alleged to have offered some of the stolen account data for sale on other criminal forums, including the now-defunct Raid Forums. The scheme was devised and executed from approximately February 2020 to November 2020, the U.S. Justice Department said.
• 16 Malicious Google Chrome Extensions Flagged — Cybersecurity researchers have uncovered a cluster of at least 16 malicious Chrome extensions that were used to inject code into browsers to facilitate advertising and search engine optimization (SEO) fraud. The browser add-ons, now removed from the Chrome Web Store, collectively impacted 3.2 million users and masqueraded as screen capture tools, ad blockers, and emoji keyboards. According to GitLab, it’s suspected that the threat actors acquired access to at least some of the extensions from their original developers to subsequently push out the trojanized versions. The activity has been ongoing since at least July 2024.
• Gmail to Ditch SMS for Two-Factor Authentication — Google is planning to end support for SMS-based two-factor authentication in Gmail so as to “reduce the impact of rampant, global SMS abuse.” In lieu of the SMS-based system, the company is expected to display a QR code that users need to scan so as to login to their accounts, Forbes reported.
• Details Emerge About NSA’s Alleged Hack of China’s Northwestern Polytechnical University — In 2022, China accused the U.S. National Security Agency (NSA) of conducting a string of cyber attacks aimed at the Northwestern Polytechnical University. It said the attack targeting the research university employed no fewer than 40 different cyber weapons that are designed to siphon passwords, network equipment configuration, network management data, and operation and maintenance data. China has given the NSA the threat actor designation APT-C-40. According to a new analysis published by security researcher Lina Lau (aka “inversecos”), the attribution to the agency boils down to a combination of attack times (or lack thereof during Memorial Day and Independence Day holidays), hands-on keyboard activity using American English, human error, and the presence of tools previously discovered during the Shadow Brokers leak. The attack involved the use of a zero-day vulnerability attack platform called Fox Acid to automate the delivery of browser-based exploits when visiting legitimate websites. Some of the other tools deployed included ISLAND for exploiting Solaris systems; SECONDDATE, a framework installed on edge devices to conduct network eavesdropping, MitM attacks, and code injection; NOPEN and FLAME SPRAY for remote access to compromised systems; CUNNING HERETICS, a lightweight implant for covert access to NSA communication channels; STOIC SURGEON, a backdoor targeting Linux, Solaris, JunOS, and FreeBSD systems; DRINKING TEA for credential harvesting; TOAST BREAD, a log manipulation tool that erased evidence of unauthorized access; and Shaver, a program to attack exposed SunOS servers for use as jump servers. It’s said that NSA operatives stole classified research data, network infrastructure details, and sensitive operational documents from the university.
• Apple Find My Exploit Can Turn a Bluetooth Device into an AirTag — A group of academics from George Mason University has detailed a new vulnerability in Apple’s Find My network called nRootTag that turns devices into trackable “AirTags” without requiring root privileges. “The attack achieves a success rate of over 90% within minutes at a cost of only a few U.S. dollars. Or, a rainbow table can be built to search keys instantly,” the researchers said. “Subsequently, it can locate a computer in minutes, posing a substantial risk to user privacy and safety. The attack is effective on Linux, Windows, and Android systems, and can be employed to track desktops, laptops, smartphones, and IoT devices.” Apple has released patches in iOS 18.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2, and visionOS 2.2 to fix the vulnerability. That said, the attack remains effective as long as unpatched iPhones or Apple Watches are in the proximity of a target device running a malicious trojan, which is capable of advertising Bluetooth Low Energy (BLE) broadcasts that are used to glean a device’s location by querying Apple’s servers. In other words, simply by installing malware that can send BLE advertisements, the technique can make the device it’s running on trackable via Apple’s Find My network.
• Swedish Authorities Seek Backdoor Access to Encrypted Messaging Apps — Sweden’s law enforcement and security agencies are pushing for a legislation that forces encrypted messaging services like Signal and WhatsApp to create technical backdoors allowing them to access communications. Signal Foundation President Meredith Whittaker said the company would rather exit the market than complying with such a law, Swedish news outlet SVT Nyheter reported last week. The development follows Apple’s disabling of iCloud’s Advanced Data Protection (ADP) feature for users in the U.K. last week in response to reports that the Home Office had requested for the ability to access encrypted contents in the cloud. Tulsi Gabbard, the director of U.S. National Intelligence, said she was not informed in advance about the U.K. government’s demand to be able to access Apple customers’ encrypted data. U.S. officials are said to be looking at whether the U.K. violated a bilateral agreement by demanding Apple create a “backdoor” to access end-to-end encrypted iCloud data, according to Reuters. It also comes as concerns are being raised over a proposed amendment to the Narcotrafic law in France that seeks to backdoor encrypted messaging systems and hand over chat messages of suspected criminals within 72 hours of a law enforcement request. “A backdoor for the good guys only is a dangerous illusion,” Matthias Pfau, CEO of Tuta Mail, said in a statement shared with The Hacker News. “Weakening encryption for law enforcement inevitably creates vulnerabilities that can – and will – be exploited by cybercriminals and hostile foreign actors. This law would not just target criminals, it would destroy security for everyone.”
• Cybercriminal Behind More Than 90 Data Leaks Arrested — A joint operation of the Royal Thai Police and the Singapore Police Force has led to the arrest of an individual responsible for more than 90 instances of data leaks worldwide, including 65 in the Asia-Pacific (APAC) region alone. The leaks resulted in the sale of over 13TB of personal data on the dark web, per Singaporean company Group-IB. The individual operated under various aliases ALTDOS, DESORDEN, GHOSTR, and 0mid16B. The identity of the suspect has not been disclosed, but Thai media reported that he goes by the name Chingwei. “The main goal of his attacks was to exfiltrate the compromised databases containing personal data and to demand payment for not disclosing it to the public,” Group-IB said. “If the victim refused to pay, he did not announce the leaks on dark web forums. Instead he notified the media or personal data protection regulators, with the aim of inflicting greater reputational and financial damage on his victims.” In select instances, the threat actor also encrypted the victim’s databases as a means of exerting more pressure. The attacks leveraged SQL injection tools like sqlmap and exploited vulnerable Remote Desktop Protocol (RDP) servers to gain unauthorized access, followed by deploying a cracked version of an adversary simulation tool named Cobalt Strike for controlling compromised servers and exfiltrating data. Targets of the individual’s attacks spanned industries such as healthcare, retail, property investment, finance, e-commerce, logistics, technology, hospitality, insurance, and recruitment.

🎥 Expert Webinar

• Webinar 1: Discover How ASPM Bridges Critical Gaps in AppSec Before It’s Too Late — Join our free webinar to learn how ASPM is changing app security. Amir Kaushansky from Palo Alto Networks will show you how ASPM unites your security tools and makes managing risks easier. Hear real success stories from hundreds of users and get clear, practical advice to protect your apps.
• Webinar 2: Transform Your Code Security with One Smart Engine — Join this next webinar to learn how to stop identity-based attacks like phishing and MFA bypass. Discover a secure access solution trusted by over 500 users. With limited spots, don’t miss your chance to protect your identity. Sign up now!

P.S. Know someone who could use these? Share it.

🔧 Cybersecurity Tools

• MEDUSA — It is a powerful, FRIDA-powered tool designed for dynamic analysis of Android and iOS apps. It automates tasks such as bypassing SSL pinning, tracing function calls, and modifying app behavior in real time—all in a simple and efficient way. This makes it the perfect solution for uncovering vulnerabilities and strengthening mobile security.
• Galah — It is an AI-driven web honeypot designed to lure and study cyber attackers. It mimics different web applications by generating smart, realistic responses to any HTTP request, making it harder for hackers to tell what’s real. Initially built as a fun project to explore the power of large language models, Galah offers a simple way to see how modern AI can be used in cybersecurity.

🔒 Tip of the Week

The Hidden Dangers of Copy-Paste: How to Secure Your Clipboard from Cyber Threats — Clipboard security is often overlooked, yet it’s a prime target for attackers. Malware can hijack your clipboard to steal sensitive data, swap cryptocurrency addresses, or execute malicious commands without your knowledge. Tools like Edit Clipboard Contents Tool allow you to inspect and modify clipboard data at a raw level, providing visibility into potential threats. Sysinternals Process Monitor (ProcMon) can detect suspicious access to the clipboard, helping you catch rogue processes. Additional tools like InsideClipboard and Clipboardic log clipboard history and show all formats, revealing hidden malicious content that could otherwise go unnoticed.

To protect against clipboard-based attacks, use clipboard-clearing practices after copying sensitive data, and avoid pasting from untrusted sources. Developers should implement auto-clearing of clipboard data and sanitize pasted input to prevent exploits. Cybersecurity professionals can monitor clipboard access via Sysmon or DLP systems to alert on suspicious behavior. By incorporating these tools and habits, you can better defend against clipboard hijacking and ensure sensitive information remains secure.

Conclusion

As we close this week’s update, remember that staying informed is the first step to protecting yourself online. Every incident—from targeted exploits to AI misuse—shows that cyber threats are real and constantly changing.

Thank you for reading. Stay alert, update your systems, and use these insights to make smarter choices in your digital life. Stay safe until next week.