cyberlights – week 12/2025
A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!
Highlight
🔊 Everything You Say to Your Echo Will Soon Be Sent to Amazon, and You Can’t Opt Out privacy – Amazon's new Alexa+ will send all voice recordings to the cloud, eliminating local processing and raising significant privacy concerns for Echo users. https://www.wired.com/story/everything-you-say-to-your-echo-will-be-sent-to-amazon-starting-march-28/
News For All
🎭 Scammers Pose as Cl0p Ransomware to Send Fake Extortion Letters cybercrime – Scammers are impersonating the Cl0p ransomware gang to send fake extortion emails and letters, leveraging fear and misinformation to defraud businesses. https://hackread.com/scammers-pose-cl0p-ransomware-fake-extortion-letters/
🔑 RDP attack: Which passwords are hackers using against RDP ports in 2025? security research – Research shows hackers are targeting RDP ports using weak passwords like '123456' and 'P@ssw0rd', highlighting the need for stronger password policies and multi-factor authentication. https://specopssoft.com/blog/passwords-used-in-attacking-rdp-ports/
💻 Free file converter malware scam “rampant” claims FBI warning – The FBI warns that free file converter tools are spreading malware, compromising personal data like passwords and social security numbers, urging users to be cautious. https://www.bitdefender.com/en-us/blog/hotforsecurity/free-file-converter-malware-scam-rampant-claims-fbi
🍏 Apple has revealed a Passwords app vulnerability that lasted for months vulnerability – A bug in the iOS 18.2 Passwords app exposed users to phishing attacks for three months by sending unencrypted requests. Apple has since released a patch to address the issue. https://www.theverge.com/news/632108/apple-ios-passwords-app-bug-vulnerability-phishing-attacks
🤖 Trained on buggy code, LLMs often parrot same mistakes security research – Researchers found that large language models frequently reproduce buggy code instead of correcting it, with error rates nearly equal for both correct and buggy completions, highlighting limitations in handling complex code. https://www.theregister.com/2025/03/19/llms_buggy_code/
🎣 Attackers use CSS to create evasive phishing messages security news – Threat actors exploit CSS to bypass spam filters and track user behavior, using techniques to conceal phishing content in emails and gather sensitive data on recipients. https://securityaffairs.com/175512/security/attackers-use-css-to-create-evasive-phishing-messages.html
🚨 People Are Using AI to Create Influencers With Down Syndrome Who Sell Nudes cybercrime – A network of Instagram accounts uses AI to create deepfake influencers with Down syndrome, stealing content from real creators and monetizing it on adult platforms, leading to a disturbing new industry. https://www.404media.co/people-are-using-ai-to-create-influencers-with-down-syndrome-who-sell-nudes/
🔍 Six additional countries identified as suspected Paragon spyware customers privacy – Citizen Lab identified six new countries as suspected customers of Paragon Solutions' spyware, raising concerns over its use against activists and the company's claims of responsible sales practices. https://cyberscoop.com/six-countries-suspected-paragon-spyware-customers/
🔓 US teachers' union says hackers stole sensitive personal data on over 500,000 members data breach – The Pennsylvania State Education Association reported a cyberattack that compromised sensitive personal data of over 517,000 members, including Social Security numbers and financial information. https://techcrunch.com/2025/03/19/us-teachers-union-says-hackers-stole-sensitive-personal-data-on-over-500000-members/
📵 Turkey restricts social media following arrest of president’s main rival security news – Turkey has restricted access to major social media platforms after the arrest of Istanbul Mayor Ekrem İmamoğlu, sparking public protests and highlighting ongoing government crackdowns on dissent. https://therecord.media/turkey-restricts-social-media-imamoglu-arrest
🔒 WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware vulnerability – WhatsApp addressed a zero-click vulnerability exploited by Paragon's Graphite spyware to target journalists and civil society members, disrupting a campaign that affected over 90 users. https://securityaffairs.com/175629/security/whatsapp-fixed-zero-day-flaw-used-to-deploy-paragon-graphite-spyware-spyware.html
🔍 Data breach at stalkerware SpyX affects close to 2 million, including thousands of Apple users data breach – A data breach at SpyX exposed personal data of nearly 2 million users, including Apple account credentials, raising concerns about the risks associated with consumer-grade spyware. https://techcrunch.com/2025/03/19/data-breach-at-stalkerware-spyx-affects-close-to-2-million-including-thousands-of-apple-users/
🔒 BlackLock Ransomware: What You Need To Know cybercrime – BlackLock is a rapidly growing ransomware group that encrypts and exfiltrates data, operating under a RaaS model. It has launched numerous attacks across various sectors and employs aggressive recruitment tactics. https://www.tripwire.com/state-of-security/blacklock-ransomware-what-you-need-know
🗺️ Google sues alleged scammers over 10,000 fake Maps listings security news – Google is suing a network of scammers for creating 10,000 fake business listings on Maps, following a tip-off from a locksmith. The company blocked 12 million fake businesses in 2023. https://www.theverge.com/news/633601/google-sues-fake-business-scams-maps
🌐 Major web services go dark in Russia amid reported Cloudflare block security news – Widespread outages in Russia, attributed to the blocking of Cloudflare, affected services like TikTok and banking apps, as regulators push for local hosting to improve internet security. https://therecord.media/russia-websites-dark-reported-cloudflare-block
🌍 How to Avoid US-Based Digital Services—and Why You Might Want To privacy – Amid concerns over Big Tech's alignment with the Trump administration, many are moving their digital lives to overseas services to protect privacy and data rights, exploring various non-US alternatives. https://www.wired.com/story/trump-era-digital-expat/
🌀 Cloudflare turns AI against itself with endless maze of irrelevant facts security news – Cloudflare launched 'AI Labyrinth' to combat unauthorized AI data scraping by enticing bots into a maze of fake content, wasting their resources instead of blocking them outright. https://arstechnica.com/ai/2025/03/cloudflare-turns-ai-against-itself-with-endless-maze-of-irrelevant-facts/
🕹️ Valve removes video game demo suspected of being malware malware – Valve has removed the game demo for 'Sniper: Phantom’s Resolution' from Steam after users reported it was installing malware, following a similar incident with another game last month. https://techcrunch.com/2025/03/21/valve-removes-video-game-demo-suspected-of-being-malware/
Some More, For the Curious
🔓 Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised security research – A vulnerability in GitHub Action tj-actions/changed-files exposes sensitive CI/CD secrets in build logs, risking unauthorized access for users with public repositories. Comment: the big one this week. https://www.aquasec.com/blog/github-action-tj-actions-changed-files-compromised/
👽 Security Risks of Setting Access Control Allow Origin: * cyber defense – Using a wildcard CORS policy can expose applications to serious security risks, especially when combined with insecure cookie settings, allowing attackers to exploit authenticated sessions. https://projectblack.io/blog/security-risks-of-setting-access-control-allow-origin/
🕵️♂️ BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique security research – Mandiant reveals the Browser-in-the-Middle (BitM) technique allows attackers to steal session tokens quickly, emphasizing the need for robust security measures like hardware-based MFA and client certificates. https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-browser-in-the-middle/
⚙️ Improvements in Brute Force Attacks security research – New research reveals significant advancements in GPU-assisted brute force attacks on cryptographic algorithms, highlighting the need for stronger key lengths as optimized methods greatly reduce attack times. https://www.schneier.com/blog/archives/2025/03/improvements-in-brute-force-attacks.html
💰 Microsoft identifies new RAT targeting cryptocurrency wallets and more malware – Microsoft discovered StilachiRAT, a stealthy remote access trojan that steals sensitive data from cryptocurrency wallets and Chrome, and manipulates system settings to evade detection. https://therecord.media/stilachirat-new-remote-access-trojan-crypto-wallets
🔒 Microsoft isn't fixing 8-year-old zero day used for spying security news – Microsoft is not addressing an eight-year-old vulnerability exploited by state-sponsored attackers through malicious .LNK files, deeming it a UI issue rather than a security concern. https://www.theregister.com/2025/03/18/microsoft_trend_flaw/
🎮 New Arcane stealer spreading via YouTube and Discord malware – The Arcane stealer, distributed through YouTube videos and Discord, targets sensitive data from various applications and gaming clients, using deceptive methods to install malware on victims' devices. https://securelist.com/arcane-stealer/115919/
🛠️ Rules File Backdoor: AI Code Editors exploited for silent supply chain attacks security research – The 'Rules File Backdoor' attack exploits AI code editors like GitHub Copilot to inject malicious code via hidden Unicode, compromising software without detection and posing significant risks. https://securityaffairs.com/175593/hacking/rules-file-backdoor-ai-code-editors-silent-supply-chain-attacks.html
📰 Ransomware-Gruppen nutzen weiterhin kritische Fortinet-Schwachstellen – Warnung vor gepatchten, aber bereits kompromittierten Geräten warning https://www.cert.at/de/warnungen/2025/3/ransomware-gruppen-nutzen-weiterhin-kritische-fortinet-schwachstellen-warnung-vor-gepatchten-aber-bereits-kompromittierten-geraten
🚨 Critical GitHub Attack security research – A cascading supply chain attack has compromised multiple GitHub Actions, exposing critical secrets in over 23,000 repositories. CISA has confirmed the vulnerability was patched in version 46.0.1. Comment: the big one again. https://www.schneier.com/blog/archives/2025/03/critical-github-attack.html
💰 Russian zero-day seller is offering up to $4 million for Telegram exploits cybercrime – Operation Zero is offering up to $4 million for Telegram exploits, reflecting the demand from the Russian government for vulnerabilities in popular messaging apps, particularly amidst security concerns. https://techcrunch.com/2025/03/21/russian-zero-day-seller-is-offering-up-to-4-million-for-telegram-exploits/
🧟 'Dead simple' RCE exploit in Apache Tomcat under attack vulnerability – A newly disclosed vulnerability in Apache Tomcat (CVE-2025-24813) allows remote code execution and is actively being exploited, requiring no authentication to attack vulnerable servers. https://www.theregister.com/2025/03/18/apache_tomcat_java_rce_flaw/
🔒 Veeam fixed critical Backup & Replication flaw CVE vulnerability – Veeam patched a critical vulnerability (CVE-2025-23120) in its Backup & Replication software that allowed remote code execution by authenticated users, addressing the issue in version 12.3.1. https://securityaffairs.com/175674/slider/veeam-critical-backup-replication-vulnerability.html
CISA Corner
🔐 Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066 security news – The tj-actions/changed-files GitHub Action was compromised, exposing sensitive information like access keys and tokens. A patch has been released, and related actions may also be at risk. Comment: the big one this week. https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
⚙️ CISA Releases Seven Industrial Control Systems Advisories vulnerability – CISA issued seven advisories detailing vulnerabilities in various Industrial Control Systems, urging users to review the advisories for technical insights and mitigation strategies. https://www.cisa.gov/news-events/alerts/2025/03/18/cisa-releases-seven-industrial-control-systems-advisories ⚙️ CISA Releases Five Industrial Control Systems Advisories vulnerability – CISA issued five advisories regarding vulnerabilities in various Industrial Control Systems, urging users to review them for technical details and mitigation strategies. https://www.cisa.gov/news-events/alerts/2025/03/20/cisa-releases-five-industrial-control-systems-advisories
⚠️ CISA Adds Two Known Exploited Vulnerabilities to Catalog warning – CISA has added two vulnerabilities to its catalog due to active exploitation: an authentication bypass in Fortinet's FortiOS and malicious code in tj-actions/changed-files GitHub Action. https://www.cisa.gov/news-events/alerts/2025/03/18/cisa-adds-two-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds Three Known Exploited Vulnerabilities to Catalog warning – CISA has added three vulnerabilities to its catalog due to active exploitation: an OS command injection in Edimax cameras, an absolute path traversal in NAKIVO, and a directory traversal in SAP NetWeaver. https://www.cisa.gov/news-events/alerts/2025/03/19/cisa-adds-three-known-exploited-vulnerabilities-catalog
While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.
(by @wrzlbrmpft@infosec.exchange) Obviously, the opinions inside these articles are not my own. No guarantee for correct- or completeness in any way.