In cybersecurity, the smallest crack can lead to the biggest breaches. A leaked encryption key, an unpatched software bug, or an abandoned cloud storage bucket—each one seems minor until it becomes the entry point for an attack.
This week, we’ve seen cybercriminals turn overlooked weaknesses into major security threats, proving once again that no system is too small to be targeted. The question isn’t whether attackers will find a way in—it’s whether you’ll be prepared when they do.
Let’s break down what you need to know.
⚡ Threat of the Week
Microsoft Warns of Attacks Exploiting ASP.NET Machine Keys — Threat actors are exploiting publicly disclosed ASP.NET machine keys to inject and execute malicious code responsible for launching the Godzilla post-exploitation framework. Microsoft said it has identified over 3,000 publicly disclosed keys that could be used for these types of attacks dubbed ViewState code injection. The company also said it removed key-related artifacts from “limited instances” where they were included in its documentation.
🔔 Top News
Multiple Security Flaws Come Under Exploitation — Malicious actors are exploiting recently disclosed security flaws in SimpleHelp remote desktop software (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) as part of a suspected ransomware attack. Separately, Russian cybercrime groups have been found to exploit a flaw affecting the 7-Zip archiver tool (CVE-2025-0411) to evade mark-of-the-web (MotW) protections on Windows systems and deliver the SmokeLoader malware as part of attacks aimed at Ukrainian entities. Lastly, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software (CVE-2025-0994) has come under active exploitation in the wild.
Ransomware Payments Drop to $813.5M in 2024 — Ransomware attacks earned cybercrime groups $813.5 million in 2024, marking a significant drop from $1.25 billion in 2023. That said, 2024 also witnessed the highest volume of annual ransomware cases since 2021, reaching a staggering 5,263 attacks, an increase of 15% year-over-year. The decline is attributed to the growing law enforcement success in dismantling ransomware gangs, heightened global awareness about the threat, and a fragmented ecosystem where lone wolf actors are known to seek smaller ransom payments.
Lazarus’s Job-Themed Campaign Delivers JavaScript Malware — The Lazarus Group of North Korea has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems. Bitdefender, which identified the activity, said it likely falls under the Contagious Interview cluster, although the JavaScript malware used in the attacks is different from BeaverTail samples used in the latter.
SparkCat Uses Android and iOS Apps to Steal Data — A new malware campaign dubbed SparkCat has leveraged a suite of bogus apps on both Apple’s and Google’s respective app stores to steal victims’ mnemonic phrases associated with cryptocurrency wallets. The development marks one of the first instances where a stealer with optical character recognition (OCR) capabilities has been discovered in the Apple App Store. The offending apps have since been removed from both the app storefronts.
Kyrgyzstan and Turkmenistan Orgs Targeted by Silent Lynx — A never-before-seen hacking group tracked as Silent Lynx has targeted embassies, lawyers, government-backed banks, and think tanks located in Kyrgyzstan and Turkmenistan to deploy a PowerShell script that uses Telegram for command-and-control. The activity, attributed to a Kazakhstan-origin threat actor with a medium level of confidence, shares tactical overlaps with another hacking group name YoroTrooper (aka SturgeonPhisher), which has been linked to attacks targeting the Commonwealth of Independent States (CIS) countries using PowerShell and Golang tools.
️🔥 Trending CVEs
Your go-to software could be hiding dangerous security flaws—don’t wait until it’s too late! Update now and stay ahead of the threats before they catch you off guard.
This week’s list includes — CVE-2025-25064, CVE-2025-25065 (Zimbra Collaboration), CVE-2024-57968, CVE-2025-25181 (Advantive VeraCore), CVE-2025-20124, CVE-2025-20125 (Cisco Identity Services Engine), CVE-2025-23114 (Veeam Backup), CVE-2024-56161 (AMD), CVE-2025-21415 (Azure AI Face Service), CVE-2024-53104 (Linux Kernel/Android), CVE-2022-22706 (Arm), CVE-2025-23369 (GitHub Enterprise Server), PSV-2023-0039, PSV-2024-0117 (NETGEAR), CVE-2025-24118 (Apple), CVE-2025-24648, CVE-2024-43333 (Admin and Site Enhancements plugin), and CVE-2025-24734 (Better Find and Replace plugin).
📰 Around the Cyber World
Brute-Force Attack Campaign Targets Networking Devices — Threat hunters are warning of a large-scale brute force password attack using nearly 2.8 million IP addresses to guess the credentials for a wide range of networking devices, including those from Ivanti, Palo Alto Networks, and SonicWall, per the Shadowserver Foundation. The IP addresses are mainly located in Brazil, Russia, Turkey, Argentina, Iraq, and Morocco, among others. These IP addresses belong to IoT devices from various vendors like MikroTik, Huawei, Cisco, Boa, and ZTE, which are commonly infected by botnet malware.
Rare Wolf Goes After Russia — The threat actor known as Rare Wolf (aka Rezet) has been linked to a new set of cyber attacks targeting Russian industrial enterprises in January 2025. The attacks involve the use of phishing lures that employ themes related to seminar invitations in order to deliver malware. Russian organizations across various industries have also been targeted by a large-scale campaign designed to propagate NOVA stealer, a new commercial fork of Snake Keylogger.
AI Agents Can Become a Vector for Bot-Driven Card Testing Attacks — Threat actors are known to use automated bot programs to test pilfered cards on multiple e-commerce websites. Such card testing attacks typically exploit stolen credit card details through small, unnoticed purchases to verify active cards for larger fraud. “This entire operation is highly automated, making it challenging for fraud detection systems to catch these fraudulent transactions in real time,” Group-IB said. “By the time the actual cardholder notices unusual activity, fraudsters may have already validated multiple cards, and used them for larger unauthorized transactions.” With the advent of AI agents to perform web-based tasks on behalf of users, the company said the tools present new risks for the banking industry, allowing for automation of card testing and fraud operations at scale.
Abandoned AWS S3 Buckets Can Be Repurposed for Supply Chain Attacks — New research has found that it’s possible to register abandoned Amazon S3 buckets in order to stage supply chain attacks at scale. watchTowr Labs said it discovered about 150 Amazon S3 buckets that had previously been used across commercial and open-source software products, governments, and infrastructure deployment/update pipelines. It then re-registered them for a mere $420.85 with the same names. Over a period of two months, the cybersecurity company said the buckets in question received more than 8 million HTTP requests for software updates, JavaScript files, virtual machine images, pre-compiled binaries for Windows, Linux, and macOS, and SSL-VPN configurations, among others. This also meant that a threat actor in possession of these buckets could have responded to the requests with a nefarious software update, CloudFormation templates that grant unauthorized access to an AWS environment, and malicious executables. These networks, watchTowr said, originated from the government networks of the U.S., the U.K., Poland, Australia, South Korea, Turkey, Taiwan, and Chile; military networks, Fortune 500 companies, instant messaging platforms, and universities. The findings once again highlight the security risk associated with abandoned or expired infrastructure, and how source code references to non-existent cloud assets can have serious supply chain ramifications. “We believe that in the wrong hands, the research we have performed could have led to supply chain attacks that out-scaled and out-impacted anything we as an industry have seen so far – or put more clearly, we would’ve embarrassed Cozy Bear and made their SolarWinds adventures look amateurish and insignificant,” the company said.
Five Eyes Nations Release Guidance for Edge Devices — Five Eyes cybersecurity agencies in Australia, Canada, New Zealand, the U.K., and the U.S., along with Czechia and Japan, have released joint guidance for network edge devices, urging device manufacturers to improve forensic visibility by integrating secure-by-default logging to help defenders detect attacks and investigate incidents. Organizations are also recommended to follow vendor hardening guides, subscribe to vendor notifications and advisories, keep devices always updated, enable centralized logging, enforce multi-factor authentication (MFA), disable unused functionality, maintain detailed device inventories, track configuration changes, detect hardware changes, review security policies, implement role-based access control, and include edge device compromise in their incident response plans. The development comes as edge appliances are increasingly becoming a lucrative target for gaining access to target environments.
U.K. Reportedly Asks for Backdoor Access to Apple iCloud Data — Security officials in the U.K. are said to have ordered Apple to create a backdoor to access any Apple user’s iCloud content. The demand, first reported by The Washington Post, “requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies.” The order is said to have been issued by the U.K. Home Office under the Investigatory Powers Act (IPA), also nicknamed the Snoopers’ Charter. In response, Apple is expected to stop offering encrypted storage, specifically Advanced Data Protection, in the U.K. Neither the company nor U.K. government officials have formally commented on the matter. In a statement shared with BBC, Privacy International called the move an “unprecedented attack” on the private data of individuals, and that it “sets a hugely damaging precedent.” While Apple offers two levels of encryption for the cloud – Standard data protection and Advanced Data Protection – the former encrypts iCloud data and stores the encryption keys in its own data centers. Furthermore, only certain categories of data, such as health data and passwords, are end-to-end encrypted. Advanced Data Protection, in contrast, is an opt-in feature that provides end-to-end encryption (E2EE) for iCloud backups. Security services and lawmakers have consistently pushed back against the growing use of end-to-end encryption services, arguing that they could deter efforts to combat serious crime such as terrorism and child sexual abuse, as well as help criminals conceal illicit activity.
“Dangerous Hacker” Arrested in Spain — Spanish law enforcement authorities have announced the arrest of an individual suspected of conducting cyber attacks against dozens of organizations. The unnamed man was arrested in the town of Calpe in Spain’s Alicante province for allegedly carrying out attacks on more than 40 organizations and leaking stolen data under the alias “natohub.” This included NATO, the United Nations, the U.S. Army, and the International Civil Aviation Organization (ICAO). He is also accused of targeting organizations in Spain, including the country’s mint, universities, government entities, and law enforcement agencies. “The suspect, who had extensive knowledge of computers, had managed to set up a complex technological network through the use of anonymous messaging and browsing applications, through which he had managed to hide his tracks and thus make his identification difficult,” the National Police said.
🎥 Expert Webinar
From Code to Runtime: See How ASPM Transforms Application Protection — Join our next webinar with Amir Kaushansky of Palo Alto Networks and discover how ASPM transforms app security. Learn to unify code insights with runtime data, close security gaps, and shift from reactive fixes to proactive defense. Empower your team with smarter, holistic protection against modern threats.
From Debt to Defense: How to Spot and Fix Identity Gaps — Join this free webinar and learn how to close identity gaps and fortify your defenses. Experts Karl Henrik Smith and Adam Boucher will reveal how Okta’s Secure Identity Assessment streamlines processes, prioritizes critical fixes, and future-proofs your identity strategy to reduce risks and optimize resources.
P.S. Know someone who could use these? Share it.
🔧 Cybersecurity Tools
BaitRoute (Honeypot) — It is a tool that creates fake vulnerable web endpoints to catch hackers in the act. When an attacker tries to exploit these decoy sites, you’ll get an instant alert with details like their IP address and request info. It’s easy to integrate with your existing projects using Go, Python, or JavaScript, and it comes with ready-to-use rules so you can start protecting your site right away.
Volatility Workbench — It is a free, open-source GUI for memory forensics that speeds up analysis and cuts out command-line hassles. It auto-detects systems, saves settings, and supports Windows, Mac, and Linux, making digital investigations simpler and faster.
🔒 Tip of the Week
Keep Your AI Interactions Private & Secure — AI tools like chatbots and voice assistants collect and store your data, which can be hacked, misused, or even influence your decisions. Avoid sharing personal details (passwords, finances, or sensitive info) in AI chats. Turn off unnecessary permissions (like mic or camera access) when not needed. Use AI services that allow data deletion and opt out of tracking when possible. Always fact-check AI responses before trusting them. Your data is valuable—don’t give away more than necessary.
Conclusion
This week’s developments prove once again that cybersecurity is not a one-time fix but an ongoing battle. Whether it’s closing loopholes, staying ahead of emerging threats, or adapting to new attack strategies, the key to resilience is vigilance.
Keep patching, keep questioning, and keep learning. See you next week with more insights from the front lines of cybersecurity.
