WEEKLY TOP TEN: February 24, 2025, 16:00 GMT
- Record Cryptocurrency Heist Totals Over 1.6 Billion
Bybit, a cryptocurrency exchange, reported that an unknown attacker stole $1.46 billion in ETH from one of its cold wallets in a sophisticated attack that manipulated the signing interface. The attacker gained control of the wallet and transferred the funds to an unidentified address. Bybit assures users that all other cold wallets remain secure, client funds are safe, and exchange operations continue undisrupted. The attack is now the largest crypto hack in history, surpassing previous records, including the 2022 Ronin network hack. Crypto investigator ZachXBT reported that the stolen ETH is already being split across multiple addresses. - North Korean Recruiting Campaign Targets Freelance Software Devs
North Korean hackers are targeting freelance developers with malware via fake job offers in a campaign called DeceptiveDevelopment. They use platforms like LinkedIn and Upwork to trick victims into downloading malicious software that steals crypto wallets and credentials. The malware, BeaverTail and InvisibleFerret, affects Windows, Linux, and macOS, enabling remote access and data theft - New Strain of Android Malware Accrues Over 100K Downloads
The SpyLend malware app, downloaded over 100,000 times from Google Play, posed as a financial tool but engaged in predatory lending, mainly targeting Indian users. Part of the SpyLoan malware group, it stole sensitive data—including contacts, call logs, and live locations—to extort victims. The app, along with similar variants, has been removed from Google Play but may still run in the background. Cybersecurity firm CYFIRMA warns that affected users should remove the app, reset permissions, and secure their accounts. - Over a Million Unique Credit Cards Published in Data Dump
The carding site B1ack’s Stash leaked over 1 million unique credit and debit cards on February 19, 2025, likely as a marketing tactic to attract cyber criminals. The leaked data includes PANs, CVVs, expiration dates, and personal details, with many cards issued by European banks. Experts suspect e-skimming was used to obtain the data. This follows similar leaks by BidenCash and other underground marketplaces, highlighting the ongoing threat to payment security. Banks are urged to monitor the dark web for fraud prevention. - Black Basta Ransomware Gang Internal Communications Leaked
A major leak of internal chats from the Black Basta ransomware gang surfaced on February 11, 2025, exposing internal conflicts and operations. The 50MB JSON file, posted by a Telegram user, was quickly removed, but security researchers are analyzing its Russian-language contents. Key revelations include multimillion-dollar ransom demands, a $1M annual fee for malware access, and a 17-year-old affiliate. The leak, reportedly triggered by the gang targeting Russian banks, also exposed leadership tensions—particularly involving a figure named “Tramp” and rivalries with other ransomware groups. - New MacOS Malware Strain Spread via Fake Browser Updates
Fake browser update scams are spreading malware to Mac, Windows, and Android users. Cybercriminals TA2726 and TA2727 use compromised sites to trick victims into downloading FrigidStealer (Mac), Lumma Stealer (Windows), and Marcher Trojan (Android). These threats steal credentials and financial data. - Apple Removes Data Privacy Features After UK Government Requests a Backdoor
Apple has removed iCloud end-to-end encryption (Advanced Data Protection) for new users in the U.K. after a government order demanded a backdoor to access encrypted cloud data. Existing U.K. users with ADP enabled will eventually be required to disable it. However, iMessage, FaceTime, Health, and iCloud Keychain remain end-to-end encrypted. Apple reaffirms its commitment to security and maintains that it has never provided any government with backdoor access. - Cisco Vulnerabilities Used to Infiltrate US Telecom Providers
Cisco has confirmed that the Chinese APT group Salt Typhoon exploited CVE-2018-0171 and stolen credentials to infiltrate U.S. telecom networks, maintaining access for over three years. The attackers used living-off-the-land (LOTL) techniques, pivoting between networks while capturing SNMP, TACACS, and RADIUS traffic to steal more credentials. They also altered configurations, created local accounts, and used JumbledPath, a Go-based tool for packet capture and log wiping. Cisco also detected separate exploitation of Smart Install (SMI) devices via CVE-2018-0171, unrelated to Salt Typhoon. - US Government Warns of Continued Activity from Ghost Ransomware Group
Ghost ransomware targets unpatched systems, exploiting flaws like CVE-2018-13379 and ProxyShell to gain access. The group uses Cobalt Strike to escalate privileges and move laterally. FBI and CISA recommend patching vulnerabilities, using network segmentation, and maintaining backups to prevent attacks. - SSH Vulnerabilities Lead to Man in the Middle and Denial of Service Attacks
The Qualys Threat Research Unit discovered two OpenSSH vulnerabilities: CVE-2025-26465 (CVSS 6.8), which enables man-in-the-middle attacks on the OpenSSH client, potentially allowing session hijacking and data theft, and CVE-2025-26466 (CVSS 5.9), which affects both client and server, enabling pre-authentication DoS attacks that cause high CPU/memory usage and possible server lockouts. Both flaws are patched in OpenSSH 9.9p2. Additionally, a remote code execution vulnerability (CVE-2024-6409) affecting RHEL 9’s sshd server was patched in July.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: