⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [3 February] - Related to ix-workshop:, [3, heise-angebot:, id, ⚡

⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [3 February]

This week, our news radar exhibits that every new tech idea comes with its own challenges. A hot AI tool is under close watch, law enforcement is shutting down online spots that help cybercriminals, and teams are busy fixing software bugs that could let attackers in. From advanced locks on our devices to stopping sneaky tricks online, simple steps are making a big difference.

Let's take a closer look at how these efforts are shaping a safer digital world.

DeepSeek's Popularity Invites Scrutiny — The overnight popularity of DeepSeek, an artificial intelligence (AI) platform originating from China, has led to extensive scrutiny of its models, with several analyses finding ways to jailbreak its system and produce malicious or prohibited content. While jailbreaks and prompt injections are a persistent concern in mainstream AI products, the findings also show that the model lacks enough protections to prevent potential abuse by malicious actors. The AI chatbot has also been targeted by what the firm unveiled were "large-scale malicious attacks," prompting it to temporarily limit user registrations. The service has since been banned in Italy over data protection concerns. Texas Republican Governor Greg Abbott has also issued a ban on DeepSeek for government-issued devices.

Free Shadow AI Inventory. Uncover All GenAI Accounts Today With new AI tools like DeepSeek popping up daily, it's critical to know who's using which AI apps and where they are connected to other apps. Start a free trial of Nudge Security and uncover all GenAI use, even apps you've never heard of and accounts created before you started the trial. Get started.

Law Enforcement Operation Takes Down Illicit Cybercrime Services — A series of law enforcement operations have taken down various online marketplaces such as Cracked, Nulled, Sellix, StarkRDP, and HeartSender that sold hack tools, illegal goods, and crimeware solutions. Millions of people are estimated to have been impacted, earning the threat actors hundreds of thousands of dollars in illegal revenues.

— A series of law enforcement operations have taken down various online marketplaces such as Cracked, Nulled, Sellix, StarkRDP, and HeartSender that sold hack tools, illegal goods, and crimeware solutions. Millions of individuals are estimated to have been impacted, earning the threat actors hundreds of thousands of dollars in illegal revenues. Apple Fixed an Actively Exploited Zero-Day — Apple released software updates for iOS, iPadOS, macOS, tvOS, visionOS, and watchOS to address a zero-day vulnerability (CVE-2025-24085) that it stated has been exploited in the wild. The flaw is a use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges. There are currently no details available on how it has been weaponized in real-word attacks, who may have been targeted, and the scale of the attacks.

— A Mirai botnet variant dubbed Aquabot is actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a rogue network capable of mounting distributed denial-of-service (DDoS) attacks. The flaw (CVE-2024-41710), a command injection vulnerability that allows for arbitrary command execution within the context of the phone, was addressed by Mitel in July 2024. UAC-0063 Uses Stolen Docs to Target Other Victims — A hacking group tracked as UAC-0063 has been linked to a series of attacks that involve the use of documents stolen from one victim as lures to target others and infect them with a known loader malware called HATVIBE. The attacks have also involved the deployment of a newly discovered USB data exfiltrator codenamed PyPlunderPlug in at least one incident targeting a German business in mid-January 2023.

Your go-to software could be hiding dangerous security flaws—don't wait until it's too late! modification now and stay ahead of the threats before they catch you off guard.

This week's list includes — CVE-2025-0626, CVE-2024-12248, CVE-2025-0683 (Contec CMS8000), CVE-2025-22217 (Broadcom VMware Avi Load Balancer), CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221, CVE-2025-22222 (Broadcom VMware Aria Operations and Aria Operations for Logs), CVE-2024-55415, CVE-2024-55416, CVE-2024-55417 (PHP Voyager), CVE-2025-22604 (Cacti), CVE-2024-40891 (Zyxel), CVE-2025-23040 (GitHub Desktop), CVE-2024-52012 (Apache Solr), CVE-2025-0065 (TeamViewer), CVE-2024-12647, CVE-2024-12648, CVE-2024-12649 (Canon Laser Printers and Small Office Multifunctional Printers), CVE-2025-0493 (MultiVendorX plugin), CVE-2024-12822 (Media Manager for UserPro plugin), CVE-2025-0851 (Deep Java Library), CVE-2025-20061, CVE-2025-20014 (mySCADA myPRO), CVE-2024-13448 (ThemeREX Addons plugin), CVE-2025-0357 (WPBookit plugin), CVE-2024-1354 (Bootstrap Ultimate theme), CVE-2024-56404 (One Identity Identity Manager), CVE-2024-53299 (Apache Wicket), and CVE-2024-12857 (AdForest theme).

Microsoft Previews Scareware Blocker in Edge — Microsoft expressed it's adding a new scareware blocker to its Edge browser to defend against tech support scams that use fake web pages to fool victims into thinking that their systems are infected with malware, and persuade them to either call a fake support number or gain unauthorized access to their systems. "Scareware blocker uses a machine learning model to recognize the tell-tale signs of scareware scams and puts customers back in control of their computer," the corporation expressed. "The model uses computer vision to compare full screen pages to thousands of sample scams that the scam-fighting community shared with us. The model runs locally, without saving or sending images to the cloud." Last year, the [website] Federal Trade Commission (FTC) fined two tech support firms Restoro and Reimage $26 million over charges that they lured consumers with fake Microsoft Windows pop-ups, stating their computers were compromised with viruses. The development comes as Microsoft expressed it's continuing to roll out safeguards against brand impersonation attempts in Teams, a technique adopted by various threat actors for malware propagation.

— Microsoft mentioned it's adding a new scareware blocker to its Edge browser to defend against tech support scams that use fake web pages to fool victims into thinking that their systems are infected with malware, and persuade them to either call a fake support number or gain unauthorized access to their systems. "Scareware blocker uses a machine learning model to recognize the tell-tale signs of scareware scams and puts customers back in control of their computer," the firm mentioned. "The model uses computer vision to compare full screen pages to thousands of sample scams that the scam-fighting community shared with us. The model runs locally, without saving or sending images to the cloud." Last year, the [website] Federal Trade Commission (FTC) fined two tech support firms Restoro and Reimage $26 million over charges that they lured consumers with fake Microsoft Windows pop-ups, stating their computers were compromised with viruses. The development comes as Microsoft mentioned it's continuing to roll out safeguards against brand impersonation attempts in Teams, a technique adopted by various threat actors for malware propagation. Brazil Bans Tools for Humanity From Paying People for Iris Scans — Brazilian data privacy regulators have prohibited Tools for Humanity (TFH), a biometric identity firm co-founded by OpenAI CEO Sam Altman, from offering compensation to citizens for iris scans, saying such data collection practice interferes with a person's decision to grant consent for access to sensitive personal data. "Consent for the processing of sensitive personal data, such as biometric data, must be free, informed, unequivocal and provided in a specific and highlighted manner, for specific purposes," the National Data Protection Authority (ANPD) mentioned. TFH told The Record that it follows all laws and regulations in the country. The ban coincided with a complaint filed by the European Consumer Organisation (BEUC), criticizing Meta for its pay or consent policy and for failing to give customers a fair choice.

— Brazilian data privacy regulators have prohibited Tools for Humanity (TFH), a biometric identity organization co-founded by OpenAI CEO Sam Altman, from offering compensation to citizens for iris scans, saying such data collection practice interferes with a person's decision to grant consent for access to sensitive personal data. "Consent for the processing of sensitive personal data, such as biometric data, must be free, informed, unequivocal and provided in a specific and highlighted manner, for specific purposes," the National Data Protection Authority (ANPD) expressed. TFH told The Record that it follows all laws and regulations in the country. The ban coincided with a complaint filed by the European Consumer Organisation (BEUC), criticizing Meta for its pay or consent policy and for failing to give people a fair choice. New Research Uncovers Intel TDX Vulnerability — Intel Trust Domain Extensions (TDX) has become a crucial CPU-level technology aimed at strengthening the isolation and security guarantees of virtual machines to protect sensitive data and applications from unauthorized access. This also means that vulnerabilities discovered in the technology can undermine its confidentiality and integrity objectives by breaching the isolation between the Virtual Machine Manager (VMM) and Trust Domains (TDs). A new study by a group of researchers from the Indian Institute of Technology Kharagpur and Intel has uncovered a critical flaw in TDX's Performance Monitoring Counters (PMC) virtualization that breaks the isolation between the VMM and TD, as well as between different TDs running concurrently on the same system. "In a particular scenario where the VMM and a TD are co-located on the same core, resource contention arises, exposing the TD's computation patterns on PMCs collected by the VMM for its own processes making PMC virtualization ineffective," the study expressed.

— Intel Trust Domain Extensions (TDX) has become a crucial CPU-level technology aimed at strengthening the isolation and security guarantees of virtual machines to protect sensitive data and applications from unauthorized access. This also means that vulnerabilities discovered in the technology can undermine its confidentiality and integrity objectives by breaching the isolation between the Virtual Machine Manager (VMM) and Trust Domains (TDs). A new study by a group of researchers from the Indian Institute of Technology Kharagpur and Intel has uncovered a critical flaw in TDX's Performance Monitoring Counters (PMC) virtualization that breaks the isolation between the VMM and TD, as well as between different TDs running concurrently on the same system. "In a particular scenario where the VMM and a TD are co-located on the same core, resource contention arises, exposing the TD's computation patterns on PMCs collected by the VMM for its own processes making PMC virtualization ineffective," the study said. Threat Actor Infects Over 18K Devices Using Trojanized RAT Builder — An unknown threat actor is going after script kiddies to trick them into downloading a trojanized version of the XWorm RAT builder via GitHub repositories, file-sharing services, Telegram channels, and YouTube videos to compromise over 18,459 devices globally. The top countries impacted include Russia, the [website], India, Ukraine, and Turkey. "The malware uses Telegram as its command-and-control (C&C) infrastructure, leveraging bot tokens and API calls to issue commands to infected devices and exfiltrate stolen data," CloudSEK researcher Vikas Kundu said. The malicious operation, however, has been disrupted by taking advantage of the malware's kill switch to issue an "/uninstall" command over Telegram. It's worth noting that machines that were not online when the command was sent remain compromised.

— An unknown threat actor is going after script kiddies to trick them into downloading a trojanized version of the XWorm RAT builder via GitHub repositories, file-sharing services, Telegram channels, and YouTube videos to compromise over 18,459 devices globally. The top countries impacted include Russia, the [website], India, Ukraine, and Turkey. "The malware uses Telegram as its command-and-control (C&C) infrastructure, leveraging bot tokens and API calls to issue commands to infected devices and exfiltrate stolen data," CloudSEK researcher Vikas Kundu said. The malicious operation, however, has been disrupted by taking advantage of the malware's kill switch to issue an "/uninstall" command over Telegram. It's worth noting that machines that were not online when the command was sent remain compromised. Researchers Detail Browser Syncjacking Technique — A new attack method called Browser Syncjacking shows that it's possible to take control of a victim's device by installing a seemingly innocuous Chrome browser extension, highlighting how add-ons could become lucrative low-hanging fruits for attackers. It involves a series of steps that begins with the adversary creating a malicious Google Workspace domain and setting up several user profiles under it without any security features. The adversary then publishes an extension to the Web Store and tricks victims into installing it using social engineering techniques. Once installed, the extension is used to stealthily log the victim into a Chrome browser profile managed by the attacker using a hidden window, thus enabling the threat actor to push arbitrary Chrome policies on the profile. This includes urging victims to turn on Chrome Sync, allowing the attacker to access all of the victim's secrets via the hijacked profile. The end goal, per SquareX, is to turn the whole browser into a managed browser controlled by the attacker, granting them the ability to enforce custom extensions that can be hosted on private links and don't have to go through the Chrome Web Store vetting process. Installing one of these add-ons could be enough to harvest sensitive data and seize control of the system through a clandestine communication mechanism that makes use of Chrome's Native Messaging API. Separately, recent research undertaken by security researcher Wladimir Palant has found that third-party extension developers are abusing a language translation feature built into the extension description system to push sketchy add-ons users search for legitimate extensions on the Web Store. Also discovered were an additional set of Chrome extensions capable of injecting ads into web pages, tracking website visits, affiliate fraud, and cookie stuffing attacks.

DevOps + Security = The Fast Track to Resilience — Tired of security slowing down development—or risky shortcuts putting you at risk? Join Sarit Tager, VP of Product Management at Palo Alto Networks, in this must-attend webinar to discover how to break the Dev-Sec standoff. Learn how to embed smart, seamless security guardrails into your DevOps pipeline, prioritize code issues with full ecosystem context, and replace "shift left" confusion with the clarity of "start left" success. If speed and security feel like a trade-off, this webinar will show you how to have both. Save your spot now.

— Tired of security slowing down development—or risky shortcuts putting you at risk? Join Sarit Tager, VP of Product Management at Palo Alto Networks, in this must-attend webinar to discover how to break the Dev-Sec standoff. Learn how to embed smart, seamless security guardrails into your DevOps pipeline, prioritize code issues with full ecosystem context, and replace "shift left" confusion with the clarity of "start left" success. If speed and security feel like a trade-off, this webinar will show you how to have both. Save your spot now. A Clear Path to Identity Security: Actionable Steps with Okta Experts — Struggling with identity security gaps that increase risks and inefficiencies? Join Okta's experts, Karl Henrik Smith and Adam Boucher, to discover how the Secure Identity Assessment (SIA) delivers a clear, actionable roadmap to strengthen your identity posture. Learn to identify high-risk gaps, streamline workflows, and adopt a scalable, phased approach to future-proofing your defenses. Don't let identity debt hold your organization back—gain the insights you need to reduce risk, optimize operations, and secure business outcomes.

[website] Know someone who could use these? Share it.

Sniffnet: A free, open-source tool designed to help you easily monitor your Internet traffic. This cross-platform app lets you choose your network adapter, apply filters, and view real-time charts to see exactly what's happening on your connection. Whether you're checking overall stats, spotting unusual activity, or setting up custom alerts, Sniffnet puts clear, actionable insights right at your fingertips.

IntelOwl is a powerful open-source tool designed to streamline and speed up threat intelligence management. If you've ever needed to pull data on malware, IP addresses, or domains from multiple insights with a single request, this is the platform for you. By integrating a wide range of advanced malware analysis tools and online analyzers, IntelOwl makes it easy to enhance your threat data while offering a variety of attributes to automate routine analyst tasks—saving time and boosting your response to emerging threats.

As we wrap up this week's enhancement, think of your digital life as a home that needs constant care. Small actions—like updating your software, using strong passwords, or checking the settings on your apps—are like adding extra locks to your door. Every enhancement or fix mentioned this week is a reminder: staying informed and taking simple steps can make a big difference.

Thank you for reading, and here's to staying secure and smart in our everyday tech choices.

[website] million people were affected, in a breach that could spell more trouble down the line.

Fake travel reservations are exacting more pain from the travel weary, already dealing with the mise...

Brazilian Windows customers are the target of a campaign that delivers a banking malware known as Coyote...

8Base: Vier Festnahmen und 17 Server in Deutschland beschlagnahmt

In einer koordinierten Aktion von Strafverfolgungsbehörden aus 14 Ländern wurden vergangene Woche vier Anführer der Ransomware-Gruppe 8Base festgenommen, der größte Affiliate von Phobos. Die Festnahme in Thailand gelang zusammen mit dem FBI, der Schweizer Bundesanwaltschaft und der Schweizer Bundespolizei (Fedpol). 8Base steht unter Verdacht, mit einer Variante der Phobos-Ransomware weltweit hohe Lösegeldzahlungen erpresst zu haben. Dabei betrieb sie, wie viele Ransomware-Gruppen, Double Extortion.

Phobos hatte bereits in der Vergangenheit die Basler Softwarefirma Concevis angegriffen, wovon auch Schweizer Bundesbehörden betroffen waren. Auf der Liste der Opfer stehen aber auch Gesundheitseinrichtungen wie Krankenhäuser und Apotheken, informiert die bei der Generalstaatsanwaltschaft Bamberg angesiedelte Zentralstelle Cybercrime Bayern (ZCB), die ebenfalls an der Aktion internationaler Strafverfolgungsbehörden teilgenommen hat.

Am vergangenen Sonntag habe die "IT-Infrastruktur der 8Base-Gruppierung beschlagnahmt und vom Bayerischen Landeskriminalamt vom Netz genommen" werden können, teilt die ZCB mit. "Zuvor wurde durch das Amtsgericht Bamberg die Beschlagnahme von insgesamt 115 Servern angeordnet", so die ZCB. Weitere 15 Server wurden auf Anordnung beschlagnahmt. Laut Europol wurden insgesamt 27 Server beschlagnahmt, die mit dem kriminellen Netzwerk in Verbindung stehen – 17 davon in Deutschland, wie die ZCB mitteilt. In Deutschland fanden laut ZCB 365 Phobos-Angriffe statt.

Die Aktion, an der neben dem FBI und der Schweizer Bundesanwaltschaft Fedpol auch das ZCB und das Bayerische Landeskriminalamt (BLKA) und weitere beteiligt waren, folgt auf eine Reihe von Festnahmen in Zusammenhang mit Phobos. Im Juni ist ein Administrator von Phobos in Südkorea festgenommen und anschließend an die Vereinigten Staaten ausgeliefert worden. Er wird nun wegen verschiedener Ransomware-Angriffe auf Kritische Infrastrukturen angeklagt. 2023 wurde nach Angaben von Europol ein weiterer Phobos-Affiliate in Italien festgenommen. Sie konnten der kriminellen Gruppierung 8Base zugeordnet werden. Europols European Cybercime Centre (EC3) unterstützt die Untersuchung seit Anfang 2019.

Laut ZCB habe das BLKA "240 Firmen aus 30 Ländern vor einer Verschlüsselung" warnen können – 55 Unternehmen stammen aus den USA, 35 aus Frankreich, 25 aus Japan und 18 Firmen aus Deutschland. "Äußerst erfreulich ist, dass durch das Bayerische Landeskriminalamt weltweit deutlich über einhundert Geschädigte vor einer Verschlüsselung ihrer Daten bewahrt werden konnten. Bei einem statistisch durchschnittlichen Schaden von etwa fünf Millionen Euro im Falle eines erfolgreichen Ransomware-Angriffs ergibt sich hier eine rechnerisch unglaubliche Summe von weit mehr als einer halben Milliarde Euro", kommentiert BLKA-Präsident Norbert Radmacher. Insgesamt seien durch die Strafverfolgungsbehörden laut Europol mehr als 400 Unternehmen weltweit vor laufenden oder bevorstehenden Ransomware-Angriffen gewarnt worden.

Die Ransomware Phobos wurde nach Informationen von Europol erstmals im Dezember 2018 gesichtet und wird häufig bei großangelegten Angriffen auf Unternehmen und Organisationen auf der ganzen Welt eingesetzt. Phobos greift nach Angaben von Europol vor allem kleine und mittelständische Unternehmen, die oft nicht ausreichend abgesichert sind.

Ivanti has released security updates to address multiple security flaws impacting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Applic......

A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation du......

While the first article outlined why VPNs are risky and cloud-based RDP is a superior alternative, this article will take a closer look at what makes ......

heise-Angebot: iX-Workshop: Angriffe auf Entra ID abwehren

Microsofts Cloud-basierter Identitäts- und Zugriffsverwaltungsdienst Entra ID ist als zentraler Bestandteil vieler Unternehmensnetzwerke ein beliebtes Ziel für Ransomware und andere Angriffe.

Im zweitägigen Online-Workshop Angriffe auf und Absicherung von Entra ID erfahren Sie, wie Angreifer Fehlkonfigurationen in Microsofts Identitätsverwaltungsdienst und fehlende Härtungsmaßnahmen erkennen und ausnutzen. Darauf aufbauend zeigt Ihnen Thomas Kudlacek, wie Sie Ihre Entra ID-Umgebung inklusive der Azure-Dienste effektiv absichern und gibt Ihnen Empfehlungen. Mit den Unterlagen, die Sie in dieser Schulung erhalten, können Sie im Anschluss selbstständig üben.

Der nächste Workshop findet vom 27. bis 28. Februar 2025 statt und richtet sich an Mitarbeitende aus den Bereichen Administration, IT-Leitung und IT-Sicherheit. Ihr Trainer Thomas Kudlacek ist Cyber Security Specialist bei der Cyber Security Academy von Oneconsult. Zuvor war er als Penetrationstester für einen internationalen Dienstleister tätig.

secIT – die Kongressmesse für Security-Experten! Wer tiefer in die aktuellen Themen rund um IT-Sicherheit eintauchen und sich mit Experten und Kollegen austauschen möchte, ist herzlich eingeladen, die secIT vom 18. und 20. März 2025 zu besuchen. Mehr als 100 Unternehmen präsentieren ihre Lösungen im Hannover Congress Centrum (HCC). Auf vier Bühnen erwarten Sie über 50 Sessions zu aktuellen IT-Security-Trends und -Lösungen. Zudem bieten 30 Workshops und rund 20 Deep Dive Sessions die Möglichkeit, Ihr Fachwissen zu vertiefen.

Cybersecurity researchers have discovered a bypass for a now-patched security vulnerability in the NVIDIA Container Toolkit that could be exploited to......

Microsoft has released the KB5051974 cumulative revision for Windows 10 22H2 and Windows 10 21H2, which automatically installs the new Outlook for Windo......

Behörden und Cybersicherheitsfachleute haben gravierende Sicherheitsbedenken gegen die chinesische KI DeepSeek. Dabei geht es um mehrere Punkte: die o......