⚡ THN Weekly Recap: Google Secrets Stolen, Windows Hack, New Crypto Scams and More

Allowed to this week’s Cybersecurity News Recap. Discover how cyber criminals hacked into sensitive data using sophisticated schemes like bogus codes and shady emails. We cover everything from gadget code phishing to sky achievements, breaking down the complex details into plain, easy-to-follow insights.

Threat of the Week:

Russian Threat Actors Leverage Device Code Phishing to Hack Microsoft Accounts — Microsoft and Volexity have that threat actors with ties to Russia are leveraging a technique known as machine code phishing to gain unauthorized access to victim accounts, and use that access to get hold of sensitive data and allow frequent access to the victim environment. At least three distinct regions with links to Russia have been identified as using the approach to the day. The attacks necessitate sending phishing emails that masquerade as Microsoft Teams meeting invitations, which, when clicked, attempt the message recipients to authenticate using a threat actor-generated device code, thus allowing the adversary to hijack the authenticated session using the appropriate access token.

Top News

whoAMI Attack Exploits AWS AMI Name Confusion for Remote Code Execution— A new type of name confusion attack called whoAMI allows anyone who publishes an Amazon Machine Image ( AMI ) with a specific name to gain code execution within the Amazon Web Services ( AWS ) account. According to Datadog, which detailed the attack, roughly 1 % of the companies that were under its control were affected by the whoAMI, and it discovered public examples of code written in Python, Go, Java, Terraform, Pulumi, and Bash shell using the vulnerable criteria. AWS told The Hacker News that there is no evidence of malicious exploitation of the security weakness.
• One of the most active cybercrime organizations in 2024 is the RansomHub ransomware operation, which targets over 600 organizations globally. It covers sectors like healthcare, finance, government, and critical infrastructure. One such attack has been found to weaponize now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network’s domain controller as part of their post-compromise strategy.
• uses Outlook Drafts for Command-and-Control — A remote administration tool named FINALDRAFT that parses commands stored in the mailbox’s drafts folder and generates new draft emails for each command has been used to observe a previously unreleased threat activity cluster dubbed . It makes use of the Outlook email service via the Microsoft Graph API for command-and-control ( C2 ) purposes. The group has been spotted attacking the foreign ministry of an unnamed South American country, as well as a telecommunications company and a university, both of which are located in Southeast Asia.
• Embraces ClickFix-Style Attack Strategy — The North Korean threat actor known as (aka Black Banshee ) is using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them. The threat actor “mashes up as a South Korean government official and over time develops rapport with a target before sending a spear-phishing email with an]sic ] PDF attachment,” according to Microsoft. Users are then convinced to click on a URL, urging them to register their device in order to read the PDF attachment. The aim of the attack is to create a data communication system that makes it possible for the adversary to extract data.
• Law Enforcement Op Takes Down 8Base — A consortium of law enforcement agencies has four Russian nationals and seized over 100 servers linked to the 8Base ransomware gang. The arrests were made in Thailand. Two of the suspects are accused of operating a cybercrime group that used Phobos ransomware to victimize more than 1, 000 public and private entities in the country and across the world. The development comes in the wake of a number of well-known ransomware incidents involving Hive, LockBit, and BlackCat in recent years. Late last year, Evgenii Ptitsyn, a 42-year-old Russian national believed to be the administrator of the Phobos ransomware, was extradited to the U. S.

Trending CVEs

Your go-to software could be hiding dangerous security flaws—don’t wait until it’s too late! Update right away to avoid being caught off guard by threats.

This week’s list includes — ( PostgreSQL), ( Palo Alto Networks PAN-OS), ( NVIDIA Container Toolkit ), ( Microsoft Windows Storage ), ( Microsoft Windows Ancillary Function Driver for WinSock ), ( Ivanti Connect Secure ), ( Ivanti Cloud Services Application ), ( Progress Kemp LoadMaster ), ( Apple iOS and iPadOS), ( OpenSSL), ( Microsoft Windows OLE), ( WinZip ), ( Apache Fineract ), ( Apache Ignite ), ( Hirsch Enterphone MESH), ( s2Member Pro plugin ), ( Oliver POS – A WooCommerce Point of Sale ( POS ) plugin ), ( HP LaserJet ), , , ( mySCADA myPRO Manager ), ( WP Directorybox Manager plugin ), ( Campress theme ), ( GitLab CE/EE), ( WP Job Board Pro plugin ), ( Security &amp, Malware scan by CleanTalk plugin ), ( Real Estate 7 theme ), and ( Lexmark Print Management Client ).

Around the Cyber World

Former Google Engineer Charged with Plan to Steal Trade Secrets — Linwei Ding, a former Google engineer who was arrested last March for transferring” sensitive Google trade secrets and other confidential information from Google’s network to his personal account”, has now been charged with seven counts of economic espionage and seven counts of theft of trade secrets related to the company’s AI technology between 2022 and 2023. This included detailed information about the architecture and function of Google’s Tensor Processing Unit ( TPU) and Graphics Processing Unit ( GPU) chips and systems, the software that enables the chips to communicate and carry out tasks, and the software that orchestrates thousands of chips into a supercomputer capable of training and carrying out cutting-edge AI workloads. The trade secrets also relate to Google’s custom-designed SmartNIC, a type of network interface card used to enhance Google’s GPU, high performance, and cloud networking products. The U.S. Department of Justice stated that” Ding intended to benefit the PRC government by stealing trade secrets from Google.” ” Ding allegedly stole technology relating to the hardware infrastructure and software platform that allows Google’s supercomputing data center to train and serve large AI models”. In exchange for salaries, research funds, lab space, or other incentives, the superseding indictment added that Chinese-sponsored talent programs encourage individuals engaged in research and development abroad. If convicted, Ding faces a maximum penalty of 10 years in prison and up to a$ 250, 000 fine for each trade-secret count and 15 years in prison and a$ 5, 000, 000 fine for each economic espionage count.
• A alleged Chinese nation-state group known as is actively exploiting a UI vulnerability in Microsoft Windows, according to Israeli cybersecurity firm ClearSky. ” When files are extracted from compressed’ RAR’ files they are hidden from the user”, the company . ” The folder appears empty in the Windows Explorer GUI if the compressed files are extracted from a folder. When using the’ dir ‘ command to list all files and folders inside the target folder, the extracted files and folders are’ invisible/hidden’ to the user. If they are familiar with the exact path, they can also execute those compressed files from a command line prompt. As a result of executing’ attrib -s -h’ to system protected files, an unknown file type is created from the type’ Unknown’ ActiveX component”. Who are the target( s ) of the attack and what are the campaign’s ultimate objectives are not known at this time.
• Meta Paid Over$ 2.3M in Bug Bounty Rewards in 2024 — Meta it paid out more than$ 2.3 million in rewards to nearly 200 security researchers as part of its bug bounty program in 2024. Since the start of the program in 2011, the company has distributed more than$ 20 million in total. The top three countries based on bounties awarded in 2024 are India, Nepal, and the United States.
• Attacks originating from hundreds of unique IP addresses, the majority of which are located in Germany, China, the United States, Singapore, Hong Kong, the Netherlands, the United Kingdom, and Canada, are being carried out by threat actors in an effort to actively exploit two known security flaws that are known to exist in the last few days. Organizations are recommended to apply the necessary patches ( ThinkPHP to 6.0.14+ and ownCloud GraphAPI to 0.3.1+ ) and restrict access to reduce the attack surface.
• One of its own high-level officials has been detained, according to the Secret Service of Ukraine ( SSU), and they are accused of serving as a FSB mole for Russia. The individual, one of the officials of the SSU Counterterrorism Center, is alleged to have been recruited by Russia’s Federal Security Service ( FSB ) in Vienna in 2018, and actively began engaging in espionage at the end of December last year, transmitting documents containing state secrets, to the intelligence agency via a” special mobile phone”. When the SSU learned of the man’s actions, it claimed to have “used him in a counterintelligence’game’: the SSU fed the enemy a lot of disinformation through the traitor.” The individual’s name was not disclosed, but the Kyiv Independent it’s Colonel Dmytro Kozyura, citing unnamed SSU sources.
• Hits DeepSeek Malicious actors have been spotted using the popularity of AI chatbot platform DeepSeek to launch what’s known as attacks, which involve selling the access to legitimate cloud environments to other actors for a fee. These attacks involve the use of stolen credentials to allow access to machine learning services via the OpenAI Reverse Proxy ( ORP ), which acts as a reverse proxy server for LLMs of various providers. The ORP operators use to conceal their IP addresses. Ultimately, the illicit LLM access is used to generate NSFW content, and malicious scripts, and even circumvent bans on ChatGPT in countries like China and Russia, where the service is blocked. According to Sysdig,” Cloud-based LLM usage costs can be staggering, exceeding several hundreds of thousands of dollars per month.” ” The high cost of LLMs is the reason cybercriminals choose to steal credentials rather than pay for LLM services. Due to high costs, OAI Reverse Proxies have a black market for access, and underground service providers have sprung up to meet customer needs.
• Romance Baiting Scams Jump 40 % YoY — , also called romance baiting, have accounted for 33.2 % of the estimated$ 9.9 billion revenue earned by cybercriminals in 2024 from cryptocurrency scams, growing nearly 40 % year-over-year. However, the average deposit amount for pig butchering scams decreased by 55 % YoY, likely reflecting a shift in how these scams are carried out. ” Pig butchering scammers have also evolved to diversify their business model beyond the’ long con’ of pig butchering scams— which can take months and even years of developing a relationship before receiving victim payments — to quicker turnaround that typically yield smaller victim deposits”, Chainalysis . Further analysis of on-chain activity has revealed that is frequently engaged in illicit crypto-based activities to support the Southeast Asian pig butchering industry. Scammers have also been observed generative AI technology to facilitate crypto scams, often to impersonate others or generate realistic content.
• Security Problems in RedNote Flagged: DeepSeek, not just one. A new network security analysis undertaken by the Citizen Lab has uncovered multiple issues in Red Note’s (aka Xiaohongshu ) Android and iOS apps. This includes sending viewed images and videos over HTTP, sending insufficiently encrypted device metadata, and a vulnerability that enables network attackers to discover the contents of any files that RedNote has permission to read on the users ‘ devices. While the second vulnerability was introduced by an upstream analytics SDK, MobTech, the third issue was introduced by NEXTDATA. As of writing, all the issues are still unfixed. The vulnerabilities” could enable surveillance by any government or ISP, and not just the Chinese government”, the Citizen Lab .
• CISA Advisers Organizations on Buffer Overflows — A Secure by Design Alert was released by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) and the Federal Bureau of Investigation ( FBI ). ” These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution”, the agencies , labeling them as unforgivable defects. ” Threat actors frequently exploit these flaws to gain initial access to an organization’s network and then move laterally to the wider network.” Saeed Abbasi, manager of vulnerability research at Qualys Threat Research Unit ( TRU), emphasized the need to switch from memory unsafe languages. In 2025, Abbasi ,” The world has zero tolerance for memory-unsafe code. ” Yes, rewriting old systems is daunting, but letting attackers exploit decades-old buffer overflows is worse. Organizations who continue to adhere to unsafe languages run the risk of exposing minor flaws to major breaches, and they can’t deny surprise. We’ve had proven fixes for ages: phased transitions to Rust or other memory-safe options, compiler-level safeguards, thorough adversarial testing, and public commitments to a secure-by-design roadmap. The real problem is collective will: software buyers must hold vendors accountable, and leadership must demand memory-safe transitions.
• Foreign Adversaries Target Local Communities in the U. S. for Influence Ops — A new report from the Alliance for Securing Democracy ( ASD ) has found that foreign nation-state actors from Russia, China, and Iran are running influence operations that exploit trust in local sources and impact state and local communities in the U. S. with an aim to manipulate public opinion, stoke discord, and undermine democratic institutions. According to the research, “in some cases, adversarial nations seek favorable outcomes around local policy issues,” while in others, they use local debates as Trojan horses to advance their broader geopolitical goals. Russia emerged as the most active threat actor, with 26 documented cases designed to polarize Americans through themes related to immigration and election integrity. On the other hand, Beijing aimed to acquiesce to Chinese state interests.
• Financial Orgs Asked to Switch to Quantum-Safe Cryptography — Europol is urging financial institutions and policymakers to transition to , citing an “imminent” threat to cryptographic security due to the rapid advancement of quantum computing. The primary danger is that threat actors could use quantum computing, a method known as “harvest now, decrypt later” or retrospective decryption, to steal encrypted data from the cloud today with the intention of decrypting it later. ” A sufficiently advanced quantum computer has the potential to break widely used public-key cryptographic algorithms, endangering the confidentiality of financial transactions, authentication processes, and digital contracts”, the agency . Although it is believed that quantum computers that are capable of these threats could emerge within the next ten to fifteen years, a significant amount of time will be needed to transition from vulnerable cryptographic methods. A successful transition to post-quantum cryptography requires collaboration among financial institutions, technology providers, policymakers, and regulators”. The first three “quantum-safe” algorithms were officially by the U.S. National Institute of Standards and Technology ( NIST ) last year.
• Google Addresses High Impact Flaws — Google has a pair of security flaws that could be chained by malicious actors to unmask the email address of any YouTube channel owner’s email address. A vulnerability in a YouTube API, which Google uses to manage accounts across its network of websites, has been identified as the first of the two. This ID could then be fed as input to an outdated web API associated with to convert it into an email when sharing a recording. The issues were resolved as of February 9, 2025, following responsible disclosure on September 24, 2024. There is no evidence that these shortcomings were ever abused in the wild.
• Eric Council Jr., 25, of Alabama, has admitted guilt on charges relating to the SEC X account breached by the United States Securities and Exchange Commission ( SEC ) in January 2024. The account was taken over to falsely announce that the SEC approved BTC Exchange Traded Funds, causing a spike in the price of bitcoin. The defendant fabricated a mobile phone provider store to resend the victim’s phone number to a SIM card in their possession using a fictitious identity card that was printed using an ID card printer, which led to the attack. Council, who was arrested in December 2024, to conspiracy to commit aggravated identity theft and access device fraud. He faces a maximum sentence of five years in prison if found guilty. In a related development, a 22-year-old man from Indiana, Evan Frederick Light, was to 20 years in federal prison for running a massive cryptocurrency theft scheme from his mother’s basement. In February 2022, Light allegedly robbed nearly 600 victims of their personal information and a cryptocurrency worth more than$ 37 million from an investment holdings company in South Dakota. The stolen cryptocurrency was then funneled to various locations throughout the world, including several mixing services and gambling websites to conceal his identity and to hide the virtual currency. Andean Medjedovic, a 22-year-old Canadian national, has also been by the Justice Department for using smart contract flaws in two decentralized finance crypto platforms, KyberSwap and Indexed Finance, to extort about$ 65 million from the investors of the protocols between 2021 and 2023. A master’s degree holder in mathematics from the University of Waterloo, Medjedovic is also alleged to have laundered the proceeds through mixers and in an attempt to conceal the source and ownership of the funds. One count of wire fraud, one count of unauthorized damage to a protected computer, one count of attempted Hobbs Act extortion, one count of money laundering conspiracy, and one count of money laundering are brought against Medjedovic. He faces over 30 years in prison.
• U.S. Senator Ron Wyden and Member of Congress Andy Biggs have written to Tulsi Gabbard, the Director of National Intelligence, to urge the U.K. to retract its order, citing it threatens the “privacy and of both the American people and the U.S. government,” in a letter after it was reported that officials in the U.K. had ordered Apple to create a backdoor to access any Apple user’s iCloud content. If the U. K. does not immediately reverse this dangerous effort, we urge you to reevaluate U. S. U. K. cyber arrangements and programs as well as U. S. intelligence sharing with the U. K.,” they added. The alleged Apple backdoor request, according to reports, would allow authorities to access data that is currently protected by Advanced Data Protection, potentially having an impact on users all over the world. Wyden has also a draft version of the Global Trust in American Online Services Act that seeks to” secure Americans ‘ communications against abusive foreign demands to weaken the of communications services and software used by Americans. ” Britaini officials have neither confirmed nor refuted the order, while the experts have criticized it.”

� � Cybersecurity Webinars

Join our webinar,” From Code to Runtime: Transform Your App Security,” to learn how ASPM can alter app security. Learn how to connect code details with live data to fix gaps before they become risks. Discover smart, proactive ways to safeguard your applications in real-time.
• Webinar 2: — Join our free webinar with experts Karl Henrik Smith and Adam Boucher as they show you how to spot and close identity gaps with Okta’s Secure Identity Assessment. Learn easy ways to improve security, concentrate on crucial fixes, and strengthen your defense against threats.

P. S. Know someone who could use these? Share it, please.

� � Cybersecurity Tools

WPProbe is a quick WordPress plugin scanner that uses REST API enumeration to sporadically detect installed plugins without using brute force by comparing exposed endpoints and matching them to a precompiled database of over 900 plugins. It even maps detected plugins to known vulnerabilities ( CVE ) and outputs results in CSV or JSON format, making your scans both speedy and less likely to trigger security defenses.
• is a powerful and simple network forensic analysis tool designed for network administrators and security researchers. It digs deep into PCAP files or live network captures to extract passwords, rebuild TCP sessions, map your network visually, and even convert password hashes for offline brute force testing with Hashcat. Available as a Windows or Linux GUI or a flexible CLI.

� � Tip of the Week

Segment Your Wi-Fi Network for Better Protection — You likely have many connected devices in your smart home today, from laptops and smartphones to smart TVs and other IoT devices. When all these devices share the same Wi‑Fi network, a breach in one device could potentially put your entire network at risk. By breaking up your network into distinct segments, similar to how large corporations separate sensitive information, home network segmentation helps protect you.

To set this up, use your router’s guest network or VLAN features to create different SSIDs, such as” Home_Private” for personal devices and” Home_IoT” for smart gadgets. Make sure your router is set up so that devices on one network cannot communicate with those on another, and that each network uses strong encryption ( WPA3 or WPA2 ) with unique passwords. Test your setup by connecting your devices accordingly and verifying that cross-network traffic is blocked, then periodically check your router’s dashboard to keep the configuration working smoothly.

Conclusion

That concludes this week’s cybersecurity news. We’ve covered a broad range of stories—from the case of a former Google engineer charged with stealing key AI secrets to hackers taking advantage of a Windows user interface flaw. We’ve also seen how law enforcement and industry experts work hard to catch up with cybercriminals as they enter new areas like AI misuse and cryptocurrency scams.

These headlines remind us that cyber threats come in many forms, and every day, new risks emerge that can affect everyone from large organizations to individual users. Keep an eye on these developments and take precautions to safeguard your digital life. Thank you for joining us, and we look forward to keeping you informed next week.