cyberlights – week 11/2025
A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!
News For All
💻 Npm Run Hack:Me – A Supply Chain Attack Journey cybercrime – A freelance developer fell victim to a supply chain attack after running a seemingly harmless npm command, compromising their system and exposing sensitive data. https://rxj.dev/posts/npm-run-hack-supply-chain-attack-journey/
🐍 Fake Reddit and WeTransfer pages are spreading stealer malware malware – A massive cybercriminal operation is impersonating WeTransfer and Reddit through 1,000 fake sites to distribute Lumma stealer malware, targeting sensitive data on users' systems. https://moonlock.com/fake-reddit-wetransfer-lumma-stealer
🔑 India wants cloud and email backdoors for tax authorities privacy – India's government proposes giving tax authorities access to private digital records, including emails and cloud servers, raising concerns over warrantless surveillance and privacy rights. https://www.theregister.com/2025/03/09/asia_tech_news_roundup/
🕸️ Thousands of WordPress Websites Infected with Malware malware – Thousands of WordPress sites have been infected with malware featuring four backdoors, allowing attackers persistent access and control through various malicious means. https://www.schneier.com/blog/archives/2025/03/thousands-of-wordpress-websites-infected-with-malware.html
🏪 FBI Denver Warns of Online File Converter Scam cybercrime – Cyber criminals are exploiting free online document converters to spread malware, risking victims' personal and financial information. Stay alert and report incidents to protect yourself. https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam
🏥 Two Rhysida healthcare attacks pwned 300K patients' data data breach – Cyberattacks on Sunflower Medical Group and Community Care Alliance compromised the personal and medical data of over 300,000 patients, with both organizations linked to the Rhysida ransomware gang. https://www.theregister.com/2025/03/10/rhysida_healthcare/
🪙 Scam spoofs Binance website and uses TRUMP coin as lure for malware malware – Hackers are distributing a remote access tool via fake Binance emails promoting TRUMP coins, tricking victims into downloading malware that allows for immediate control of their computers. https://therecord.media/email-scam-spoofs-binance-offers-trump-coin-connectwise-rat
📺 Google warns folks with dead Chromecasts not to reset them security news – A major outage affecting second-generation Chromecasts and Chromecast Audio is due to an expired security certificate, preventing users from casting. Google advises against factory resets while working on a fix. https://www.theregister.com/2025/03/10/google_chromecast_outage/
🔍 Wie Google Android-Nutzer verfolgt, noch bevor sie eine App öffnen privacy – Eine Studie zeigt, dass Google Android-Nutzer bereits beim Start des Geräts ohne Zustimmung trackt, indem Identifikatoren und Cookies aktiviert werden. Dies wirft Datenschutzbedenken auf. https://www.kuketz-blog.de/wie-google-android-nutzer-verfolgt-noch-bevor-sie-eine-app-oeffnen/
🎮 New wave of attacks on gamers with DCRat backdoor malware – A surge in DCRat backdoor distribution targets gamers via YouTube, using fake accounts to promote malware disguised as gaming software. The malware includes keylogging and webcam access capabilities. https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/
🔒 Apple fixes new security flaw used in 'extremely sophisticated attack' security news – Apple patched a zero-day vulnerability in WebKit that allowed hackers to escape its protective sandbox, potentially impacting targeted individuals. The fix applies to Macs, iPhones, iPads, and Safari. https://techcrunch.com/2025/03/11/apple-fixes-new-security-flaw-used-in-extremely-sophisticated-attack/
🏹 Previously unidentified botnet targets unpatched TP-Link Archer home routers malware – The Ballista botnet targets unpatched TP-Link Archer routers, exploiting the CVE-2023-1389 vulnerability for automatic infection. Researchers link the threat to an Italian hacker, highlighting risks for IoT devices. https://therecord.media/ballista-botnet-tp-link-archer-routers
📱 North Korean government hackers snuck spyware on Android app store cybercrime – North Korean hackers uploaded spyware named KoSpy to the Google Play store, targeting specific individuals. The malware collects sensitive information and has been linked to previous North Korean cyber activities. https://techcrunch.com/2025/03/12/north-korean-government-hackers-snuck-spyware-on-android-app-store/
📍 Saudi Arabia Buys Pokémon Go, and Probably All of Your Location Data privacy – Saudi Arabia's Public Investment Fund acquired Niantic's popular AR games, including Pokémon Go, raising concerns about the handling of location data from its 100 million players under the new ownership. https://www.404media.co/saudi-arabia-buys-pokemon-go-and-probably-all-of-your-location-data/
🔒 Signal no longer cooperating with Ukraine on Russian cyberthreats, official says security news – Signal has reportedly stopped responding to Ukrainian law enforcement requests about Russian cyberthreats, raising concerns about aiding Russian espionage. Signal Foundation denies any cessation of cooperation. https://therecord.media/signal-no-longer-cooperating-with-ukraine
📩 How to Use Signal Encrypted Messaging privacy – Signal is a top encrypted messaging app, offering features for secure communication, including disappearing messages, username options, and encrypted calls. Users are advised to implement security settings to maximize privacy. https://www.wired.com/story/signal-tips-private-messaging-encryption/
📧 Don't click on that email claiming to be a disgruntled guest cybercrime – A phishing campaign disguised as Booking.com emails targets hospitality employees, delivering malware for credential theft. The attackers use social engineering tactics to prompt users into downloading malicious software. https://www.theregister.com/2025/03/13/bookingdotcom_phishing_campaign/
🔒 A New Era of Attacks on Encryption Is Starting to Heat Up privacy – Recent government actions in the UK, France, and Sweden threaten end-to-end encryption, pushing for backdoors and client-side scanning, raising concerns among privacy advocates about surveillance and user safety. https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-to-heat-up/
💻 ClickFix: How to Infect Your PC in Three Easy Steps – Krebs on Security security research – The ClickFix malware scheme tricks users into downloading password-stealing malware through a fake human verification process that exploits Windows commands. It's being widely used in phishing attacks targeting various sectors, including hospitality and healthcare. https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/
🩺 A ransomware attack hit the Micronesian state of Yap, causing the health system network to go down. cybercrime – Yap, a state in Micronesia, experienced a ransomware attack that forced the shutdown of its government health agency's computers, disrupting services and prompting an investigation into the breach. https://securityaffairs.com/175445/cyber-crime/a-ransomware-attack-hit-the-micronesian-state-of-yap.html
Some More, For the Curious
🔓 CVE-2024-9956 – PassKey Account Takeover in All Mobile Browsers vulnerability – A vulnerability in mobile browsers allows attackers within Bluetooth range to phish PassKeys credentials by triggering authentication requests, undermining their security. Comment: <3 https://mastersplinter.work/research/passkey/
🤺 Jailbreaking is (mostly) simpler than you think security research – The Context Compliance Attack (CCA) is a simple jailbreak method exploiting AI systems' reliance on client-supplied conversation history, highlighting vulnerabilities in AI safety practices. https://msrc.microsoft.com/blog/2025/03/jailbreaking-is-mostly-simpler-than-you-think/
🏬 In-Depth Technical Analysis of the Bybit Hack security research – Bybit fell victim to a sophisticated hack, losing $1.4 billion via a manipulated transaction approval process. https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-the-bybit-hack/
🐞 Hartwork Blog · Recursion kills: The story behind CVE vulnerability – Expat 2.7.0 addresses CVE-2024-8176, a serious recursion vulnerability that could lead to stack overflow, with collaboration from industry partners resulting in a significant security fix. https://blog.hartwork.org/posts/expat-2-7-0-released/
💔 My Scammer Girlfriend: Baiting A Romance Fraudster cybercrime – The author investigates romance fraud by posing as a target to analyze techniques used by scammers like 'Aidana', revealing how they manipulate emotions and extract money from victims. Comment: This one is a long but fun read. https://www.bentasker.co.uk/posts/blog/security/seducing-a-romance-scammer.html
🐺 How NOT to f-up your security incident response security news – Improper incident response can lead to severe financial losses. Experts stress the importance of methodical investigations, up-to-date response plans, and collaboration among security teams to mitigate damages during breaches. https://www.theregister.com/2025/03/10/incident_response_advice/
⚠️ Experts warn of mass exploitation of critical PHP flaw CVE vulnerability – CVE-2024-4577, a critical PHP vulnerability allowing remote code execution, is being widely exploited, with over 1,000 attacks detected globally. Experts urge immediate updates to PHP installations to mitigate risks. https://securityaffairs.com/175198/hacking/experts-warn-of-mass-exploitation-of-critical-php-flaw-cve-2024-4577.html
⚙️ Multiple vulnerabilities found in ICONICS industrial SCADA software vulnerability – Five vulnerabilities in ICONICS SCADA software could lead to privilege escalation, DLL hijacking, and system compromise, affecting critical infrastructure worldwide. Patches exist, but many servers remain unpatched. https://cyberscoop.com/iconics-scada-vulnerabilities-2025-palo-alto/
🕒 Switzerland's NCSC requires cyberattack reporting for critical infrastructure within 24 hours security news – Switzerland's NCSC mandates that critical infrastructure organizations report cyberattacks within 24 hours due to rising threats, with penalties for non-compliance starting in October 2025. https://securityaffairs.com/175260/laws-and-regulations/switzerlands-ncsc-requires-cyberattack-reporting-for-critical-infrastructure-within-24-hours.html
💳 Cracking the Code: How to Identify, Mitigate, and Prevent BIN Attacks security research – BIN attacks exploit publicly available Bank Identification Numbers to brute-force valid card details. Effective mitigation includes rate limiting, enhanced authentication, and collaboration with payment processors to prevent fraudulent transactions. https://www.cybereason.com/blog/identifying-and-preventing-bin-attacks
🔧 Zero Day Initiative — The March 2025 Security Update Review security news – March 2025 security updates include significant patches from Adobe and Microsoft addressing multiple vulnerabilities, with critical fixes for code execution bugs in popular software. Immediate deployment is advised due to active exploits. https://www.thezdi.com/blog/2025/3/11/the-march-2025-security-update-review
🎣 Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies security research – This article explores various modern phishing techniques, including HTML pages, Browser-in-the-Browser, and Adversary-in-the-Middle methods, while discussing their infrastructure needs and effectiveness in bypassing security measures. http://blog.quarkslab.com/technical-dive-into-modern-phishing.html
📝 Meta warns of actively exploited flaw in FreeType library vulnerability – Meta has identified an actively exploited vulnerability (CVE-2025-27363) in the FreeType library that allows for arbitrary code execution. Users are urged to update to version 2.13.3 to mitigate risks. https://securityaffairs.com/175337/hacking/meta-warned-actively-exploited-cve-2025-27363.html
🔐 GitLab addressed critical auth bypass flaws in CE and EE) vulnerability – GitLab has patched two critical authentication bypass vulnerabilities (CVE-2025-25291 and CVE-2025-25292) in its Community and Enterprise Editions, enabling potential account takeover through SAML SSO authentication. Users are urged to update immediately. https://securityaffairs.com/175370/security/gitlab-addressed-critical-flaws-in-ce-and-ee.html
📱 Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Spying privacy – The EFF has introduced Rayhunter, an open-source tool for detecting cell-site simulators (CSS) using a mobile hotspot, aiming to empower users to gather data on surveillance tactics and protect privacy. https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying
CISA Corner
🪤 #StopRansomware: Medusa Ransomware ransomware – The FBI and CISA released a joint advisory on Medusa ransomware, detailing its RaaS model, tactics, and indicators of compromise. The ransomware targets critical sectors, employing a double extortion strategy to demand payment for file decryption. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
⚠️ CISA Adds Five Known Exploited Vulnerabilities to Catalog warning – CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting risks from SQL injection and unrestricted file uploads, primarily in Advantive VeraCore and Ivanti Endpoint Manager. https://www.cisa.gov/news-events/alerts/2025/03/10/cisa-adds-five-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds Six Known Exploited Vulnerabilities to Catalog warning – CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including critical flaws in Microsoft Windows that pose significant risks and require immediate remediation. https://www.cisa.gov/news-events/alerts/2025/03/11/cisa-adds-six-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds Two Known Exploited Vulnerabilities to Catalog warning – CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog: CVE-2025-24201 affecting Apple WebKit and CVE-2025-21590 impacting Juniper Junos OS, both posing significant risks to federal networks. https://www.cisa.gov/news-events/alerts/2025/03/13/cisa-adds-two-known-exploited-vulnerabilities-catalog
⚙️ CISA Releases Two Industrial Control Systems Advisories vulnerability – CISA has issued two advisories regarding security vulnerabilities in Schneider Electric's Uni-Telway Driver and Optigo Networks' Visual BACnet Capture Tool, urging users to review for mitigations. https://www.cisa.gov/news-events/alerts/2025/03/11/cisa-releases-two-industrial-control-systems-advisories ⚙️ CISA Releases Thirteen Industrial Control Systems Advisories vulnerability – CISA has published thirteen advisories addressing security vulnerabilities in industrial control systems, providing crucial information for organizations to enhance their cybersecurity posture. https://www.cisa.gov/news-events/alerts/2025/03/13/cisa-releases-thirteen-industrial-control-systems-advisories
While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.
(by @wrzlbrmpft@infosec.exchange) Obviously, the opinions inside these articles are not my own. No guarantee for correct- or completeness in any way.