CyberSecurity Newsletter, 3rd March 2025
In this week’s news: 12,000 API keys and passwords found in AI training dataset, U.S.-based provider of employee screening services suffered a data breach that affects more than 3.3 million people, Meta fired about 20 employees because they had leaked “confidential information outside the company,” Cisco addressed command injection and denial-of-service (DoS) vulnerabilities, Activist phone unlocked by police using zero-day exploit, Apple will no longer offer iCloud end-to-end encryption in the United Kingdom after the government requested a backdoor to access and one of the most notorious cybercriminals arrested in Thailand.
DISA Global Solutions, a U.S.-based provider of employee screening services, has said it suffered a data breach that affects more than 3.3 million people. DISA, which provides services like drug and alcohol testing and background checks to more than 55,000 enterprises and a third of Fortune 500 companies, confirmed the data breach in a filing with Maine’s attorney general on Monday.
https://techcrunch.com/2025/02/25/us-employee-screening-giant-disa-says-hackers-accessed-data-of-more-than-3m-people/
Law enforcement have arrested one of the most notorious cybercriminals operating in the Asia-Pacific region. The joint operation was carried out by Royal Thai Police and the Singapore Police Force with the support of cybersecurity company Group-IB. The individual was arrested in Thailand. The 39-year-old man, who has used several aliases including Altdos, Desorden, Ghostr and 0mid16B, is allegedly responsible for more than 90 instances of data extortion attacks worldwide.
https://www.infosecurity-magazine.com/news/data-extortion-actor-thailand/
The Belgian federal prosecutor's office is investigating whether Chinese hackers were behind a breach of the country's State Security Service (VSSE). Chinese state-backed attackers reportedly gained access to VSSE's external email server between 2021 and May 2023, siphoning around 10% of all emails sent and received by the agency's staff.
https://www.bleepingcomputer.com/news/security/belgium-probes-chinese-hack-behind-intelligence-service-breach/
Meta fired about 20 employees because they had leaked “confidential information outside the company,” with more firings expected.
https://securityaffairs.com/174798/social-networks/meta-fired-20-employees-for-leaking-information.html
Close to 12,000 valid secrets that include API keys and passwords have been found in the Common Crawl dataset used for training multiple artificial intelligence models. The Common Crawl non-profit organization maintains a massive open-source repository of petabytes of web data collected since 2008 and is free for anyone to use.
https://www.bleepingcomputer.com/news/security/nearly-12-000-api-keys-and-passwords-found-in-ai-training-dataset/
The threat actor known as Sticky Werewolf has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Stealer malware by means of a previously undocumented implant.
https://thehackernews.com/2025/02/sticky-werewolf-uses-undocumented.html
Cisco addressed command injection and denial-of-service (DoS) vulnerabilities in some models of its Nexus switches.
https://securityaffairs.com/174753/security/cisco-fixed-command-injection-and-dos-flaws-in-nexus-switches.html
More than 2,000 Cisco, QNAP, Synology, and ASUS network edge devices worldwide — particularly in the U.S., Taiwan, Russia, India, Brazil, Australia, and Argentina — have been compromised by the PolarEdge botnet since the end of 2023
https://www.scworld.com/brief/widespread-network-edge-device-targeting-conducted-by-polaredge-botnet
A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit developed by Cellebrite to unlock the device, according to a new report from Amnesty International. "The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite," the international non-governmental organization said, adding the traces of the exploit were discovered in a separate case in mid-2024.
https://thehackernews.com/2025/02/amnesty-finds-cellebrites-zero-day.html
360XSS campaign exploits Krpano XSS to hijack search results & distribute spam ads on 350+ sites, including government, universities, and news outlets. A widespread campaign exploiting a vulnerability within a virtual tour framework Krpano has been uncovered by cybersecurity researcher Oleg Zaytsev. The attack, dubbed “360XSS,” involved search engine manipulation and mass advertisement distribution.
https://hackread.com/over-350-high-profile-websites-hit-by-360xss-attack/
The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company. The threat actors have now threatened to leak all the allegedly stolen data on March 5, 2025, unless a ransom demand is paid. Lee Enterprises is a US-based media company that owns and operates over 77 daily newspapers, 350 publications, digital media platforms, and marketing services. The company's primary focus is local news and advertising, with its digital audience reaches tens of millions monthly.
https://www.bleepingcomputer.com/news/security/qilin-ransomware-claims-attack-at-lee-enterprises-leaks-stolen-data/
Microsoft exposed four individuals behind an Azure Abuse scheme using unauthorized GenAI access to create harmful content.
https://securityaffairs.com/174779/cyber-crime/azure-abuse-scheme-individuals-exposed.html
Microsoft warns of a Paragon Partition Manager BioNTdrv.sys driver zero-day flaw actively exploited by ransomware gangs in attacks. Microsoft discovered five vulnerabilities in the Paragon Partition Manager BioNTdrv.sys driver. The IT giant reported that one of these flaws is exploited by ransomware groups in zero-day attacks.
https://securityaffairs.com/174789/cyber-crime/ransomware-gangs-paragon-partition-manager-biontdrv-sys-driver-zero-day-attacks.html
Kaspersky Global Research & Analysis Team (GReAT) discovered hundreds of open source repositories with multistaged malware targeting gamers and cryptoinvestors within a new campaign that was dubbed by Kaspersky as GitVenom. The infected projects include an automation instrument for interacting with Instagram accounts, a Telegram bot that enables the remote management of Bitcoin wallets and a crack tool to play the Valorant game.
https://www.kaspersky.com/about/press-releases/kaspersky-exposes-hidden-malware-on-github-stealing-personal-data-and-485000-in-bitcoin
A new ransomware attack has surfaced, as the “incransom” group claims responsibility for targeting the website of Breakaway Concrete Cutting, marking a growing trend in cybercrime activity. This attack, reported by ThreatMon’s Threat Intelligence Team on March 1, 2025, highlights the increasing sophistication and scale of ransomware campaigns. The attack on Breakaway Concrete Cutting signals another notch in the ever-expanding network of ransomware victims. This article provides a detailed overview of the incident, analyzing its impact, and understanding the evolving threat landscape.
https://undercodenews.com/ransomware-attack-hits-breakaway-concrete-cutting-analyzing-the-incident/
Apple will no longer offer iCloud end-to-end encryption in the United Kingdom after the government requested a backdoor to access Apple customers' encrypted cloud data.
https://www.bleepingcomputer.com/news/security/apple-pulls-icloud-end-to-end-encryption-feature-in-the-uk/
A new variant of the Vo1d malware botnet has grown to 1,590,299 infected Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks. This is according to an investigation by Xlab, which has been tracking the new campaign since last November, reporting that the botnet peaked on January 14, 2025, and currently has 800,000 active bots.
https://www.bleepingcomputer.com/news/security/vo1d-malware-botnet-grows-to-16-million-android-tvs-worldwide/