San Mateo, CA, March 10, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
North Korea laundering crypto with “unprecedented” speed
The hackers responsible for stealing nearly $1.4 billion in Ethereum from crypto exchange Bybit have successfully moved almost all of the stolen funds and converted them to Bitcoin, according to Tom Robinson, the co-founder and chief scientist of crypto monitoring firm Elliptic, and Ari Redbord, a former federal prosecutor. Redbord said this is the first phase of the laundering process and that the actors responsible show an “unprecedented level of operational efficiency… The scale and velocity of this operation present new challenges for investigators, as traditional anti-money laundering (AML) mechanisms struggle to keep pace with the high volume of illicit transactions.” Redbord said that the speedy laundering indicates that North Korea has “either expanded its money-laundering infrastructure or that underground financial networks, particularly in China, have enhanced their capacity to absorb and process illicit funds.” Read more.
40+ victims of Medusa ransomware in 2025 so far
The Symantec Threat Hunter Team has reported that since first emerging in 2023, the Medusa ransomware group has claimed nearly 400 victims, with more than 40 of them attacked in the first two months of 2025. In the first year of its existence, Medusa increased its attacks by 42%. Researchers believe that Medusa’s prolific growth suggests that the threat actors behind the operation are rushing to fill the void left after LockBit and BlackCat were disrupted by authorities. Medusa’s ransom demands range from $100,000 to $15 million for healthcare providers and nonprofits. Once accessed, Medusa attackers “drop use remote management and monitoring (RMM) software such as SimpleHelp, AnyDesk, or MeshAgent for persistent access, and employ the tried-and-tested Bring Your Own Vulnerable Driver (BYOVD) technique to terminate antivirus processes using KillAV.” Read more.
Akira encrypts network via unsecured webcam
Cybersecurity firm S-RM reports that they observed the Akira ransomware gang using a novel method to circumvent Endpoint Detection and Response (EDR) by launching encryption attacks via an unsecured webcam. The gang, having had their other attack means quarantined, “explored alternative attack pathways, scanning the network for other devices that could be used to encrypt the files and finding a webcam and fingerprint scanner.” The webcam was targeted because it was “vulnerable to remote shell access and unauthorized video feed viewing.” It also did not have an EDR agent and ran on a Linux-based operating system, which was conveniently compatible with Akira’s Linux encryptor. “As the device was not being monitored, the victim organization’s security team were unaware of the increase in malicious Server Message Block (SMB) traffic from the webcam to the impacted server, which otherwise may have alerted them,” said S-RM. “Akira was subsequently able to encrypt files across the victim’s network.” Read more.
AI-generated video of CEO used in phishing attacks
YouTube issued a warning after discovering that AI-generated video of the company’s CEO is being used to create credential-stealing phishing attacks. The scammers are sharing the content as a private video to targeted users via emails that say that YouTube’s monetization policy is changing. The messaging in the email asks users to “confirm the updated YouTube Partner Program (YPP) terms to continue monetizing your content and accessing all features” by logging into their account via a malicious link. Victims are told that their accounts will be restricted if they fail to comply, putting pressure on recipients. The emails have reportedly been in circulation since late January 2025. Read more.
Cisco Webex for BroadWorks vulnerability allows remote access
There is a new vulnerability in Cisco Webex for BroadWorks Release 45.2. The flaw enables threat actors to “intercept sensitive credentials and user data when Session Initiation Protocol (SIP) communications lack encryption” and “arises from improper handling of SIP headers metadata packets used to establish voice and video sessions—in Windows-based environments.” The flaw has a low severity rating but carries significant operational implications. When SIP is configured without Transport Layer Security (TLS) or Secure Real-Time Transport Protocol (SRTP), authentication credentials embedded in these headers become exposed to attackers on the same network segment who can then use man-in-the-middle attacks to siphon usernames, passwords, and session tokens. Cisco has pushed an update to mitigate this issue, but a restart of Webex is required to activate the changes. Read more.
AI-powered scam detection tools launched for Android
Google has introduced new features for Android devices that use AI to detect conversational scams. Dubbed Scam Detection for messages and calls, Google says the features are built on traditional spam detection but incorporate “the ability to detect suspicious patterns and deliver real-time warnings throughout a conversation, all while prioritizing user privacy.” Scam Detection for messages is designed to alert users to text message scams that start benign but gradually start to ask for sensitive data or manipulate victims into switching apps or sending money. Scam Detection for calls “processes call audio on-device to protect user privacy, with no recording, storage or sharing of conversation audio or transcription.” The feature is off by default and activated by potential scam calls from non-contacts. It also beeps to alert the user when it is enabled. Read more.
U.K. investigates TikTok’s use of children’s data
The Information Commissioner’s Office (ICO), the U.K.’s privacy regulator, has launched an investigation into TikTok, Reddit, and Imgur over concerns about how the sites use children’s personal information. The qualms seem to revolve around algorithmic “recommender systems” that could lead children to harmful content. “My message is simple. If social media and video-sharing platforms want to benefit from operating in the U.K., they must comply with data protection laws. The responsibility to keep children safe online lies firmly at the door of the companies offering these services, and my office is steadfast in its commitment to hold them to account,” said Information Commissioner John Edwards. “In announcing these investigations, we are making it clear to the public what action we are currently taking to ensure children’s information rights are upheld. This is a priority area, and we will provide updates about any further action we decide to take.” Read more.
U.S. shuts down cyber operations targeting Russia
Signaling a shift in strategy relating to cybersecurity, the U.S. has paused offensive operations that target Russia under an order from Defense Secretary Pete Hegseth. Analysts suspect that the pause is intended to de-escalate tensions and possibly ease negotiations over Russia’s aggression in Ukraine. Critics, however, draw attention to the fact that there are no reciprocal concessions from Russia, which continues to deploy offensive operations against its Western adversaries. CISA’s recent removal of Russia from priority threat lists is causing further concern among those who worry that focusing efforts too strongly on China empires Moscow to continue to operate unchecked. CISA has not made any significant statements about the adjustments, saying that “there has been no change in our posture. Any reporting to the contrary undermines national security.” Read more.
California shuts down Background Alert data broker
The California Privacy Protection Agency (CPPA) announced that Background Alert, a data broker that relies on “billions of public records to develop and sell individual profiles over its website, drawing inferences about them to identify people who ‘may somehow be associated with’ the individual being searched,” must shut down its business for failing to comply with the state’s Delete Act. The Delete Act mandates that data brokers register with the state of California annually and pay a fee. Background Alert has failed to register and must shut down its business for three years or face a $50,000 fine. According to the CPPA, fees collected from data brokers are used to fund a tool that consumers can use to request that their data be deleted from broker databases. Read more.
Paragon Partition Manager driver exploited
Microsoft has reported that ransomware actors are exploiting a vulnerability within Paragon Partition Manager’s BioNTdrv.sys driver to escalate privileges and execute code. The flaw, tracked as CVE-2025-0289, is one of five vulnerabilities discovered by the company, said the CERT Coordination Center (CERT/CC). “These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability.” The flaws set the stage for Bring Your Own Vulnerable Driver attacks in which an attacker can install a vulnerable driver on a victim’s device and then use its exploits to achieve administrative access. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
