VM#014

Author

Alicja Pawlowska
March 09, 2025

Hi Everyone,

Here’s a roundup of the latest cybersecurity news, reports, and tools from the past weeks.

Cybersecurity News

  • North Korean hackers stole $1.5 billion in crypto in just two minutes – the biggest cyber heist in history. Find out more.

  • New approach by CISA and Cyber Command to Russian cyber operations – commentary by Kamil from counterintelligence.pl. Highly recommend reading Kamil's blog, not only for CTI (Cyber Threat Intelligence) enthusiasts but for anyone interested in learning more. His blog is in Polish & English. Find out more.

  • CERT Orange Cyberdefense releases the 28th version of its ransomware map – tracking relationships between 300+ ransomware groups from 2015 to 2025, with new additions like 0mega, Anubis, Arcane, Kraken, and LockBit 4.0. Find out more & download the map.

Vulnerabilities & Exploits & Hacks

  • Kibana Security Update: Elastic has released a security update for its Kibana application, addressing a prototype pollution vulnerability that could lead to arbitrary code execution via crafted file uploads and specific HTTP requests. Find out more.

  • Critical Wazuh RCE Vulnerability (CVE-2025-24016): A critical RCE vulnerability in Wazuh versions 4.4.0-4.9.0 allows attackers with API access to inject malicious payloads, executing arbitrary Python code remotely. Find out more.

  • VMware Zero-Day Vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226): Three zero-day vulnerabilities in VMware products, exploited in the wild, affect ESXi, Workstation, and Fusion, with over 37,000 ESXi instances remaining vulnerable. Find out more.

Threat Hunting & Malware

  • EclecticIQ researcher Arda Büyükkaya leveraged data from the BlackBasta leak (shared in a previous issue) to uncover a previously hidden malware encryption service called GoblinCrypt. By analyzing the BlackBasta chat logs, he gained access to this private tool designed to evade EDR/AV protections, enabling him to trace malware samples and command-and-control addresses. Find out more.

  • Over 1 Million Android devices compromised: Research indicates that at least 1 million Android-based devices, including TV streaming boxes and car infotainment systems, are infected with malware, forming a botnet controlled by scammers. Find out more.

Learning

Tryhackme's New Free SAL1 Certificate for BTL1 or CySA+ holders!
If you hold a BTL1 or CySA+ certification then Tryhackme's offering FREE access to their latest certification, SAL1. Check out MyDFIR's video review about it.

📰 Reports

  • Middle East Cyber Threat Intelligence Analysis Magazine (2024 Q3-Q4). Created by Celery, this report dives into the latest cyber threat landscape in the Middle East. 

  •  2025 Cyber Threat Landscape for the Nordic Financial Sector
    Published by Nordic Financial CERT (NFCERT), this report highlights ransom attacks by organized crime groups as the most serious threat to the region’s financial sector. Report.

Espionage & Counterintelligence

  • Vsquare is our English outlet. Our recent investigation uncovered a secret operation by Hungarian intelligence services, allegedly prepared to assist Bosnian Serb leader Milorad Dodik in fleeing to Hungary to avoid arrest by Bosnian courts for separatist activities. Find out more.

  • Sirajuddin Haqqani's reported communications with Afghan Political Experts: Sirajuddin Haqqani, the Taliban's Interior Minister and leader of the Haqqani network, is reported to have established contacts with several former Afghan political experts. These communications were facilitated by the CIA and the American think tank, the Redacted Institute. Find out more.

  • Swedish police investigate attempted sabotage of Gotland's Water supply: A suspected sabotage of Gotland's water supply is being investigated after an electric cable was pulled from a control box, halting raw water pumps. Find out more (.se)

  • Shifts in Intelligence Sharing: U.S. reduces support to Ukraine; France steps in: The United States has reportedly reduced intelligence sharing with Ukraine, while France has stepped in to provide necessary support, highlighting shifts in international intelligence collaborations. Find out more.

Other

  • The UK has lifted sanctions on 24 Syrian entities, unfreezing their assets, including the Central Bank of Syria and Syria’s Petroleum Company. However, the US and EU continue to impose sanctions on Syria's central bank.

  • South Korea and Poland have been strategic partners since 2013. Seoul has entered into a security cooperation agreement with Poland, which is one of the largest global recipients of South Korean military equipment.

SOCMINT

  • TikTok Faces Imminent U.S. Deadline: With less than a month until its U.S. operating license expires, TikTok has yet to enter negotiations with potential buyers, leading to frustration among suitors over limited access to the company's financial and technological details. Uncertainty also surrounds the leadership of negotiations with the Trump administration. Find out more.

  • Skype to Be Discontinued by May 5, 2025: It's happens, due to declining usage. Microsoft advises users to export their data and transition to Microsoft Teams. Unused Skype data will be retained until December 2025, after which it will be permanently deleted. If users delete their Skype accounts, data will be wiped within 60 days. Skype was among the first to introduce end-to-end encryption for calls.

  •  Instagram is testing a new 'Community Chat's feature that is similar to Discord and allows up to 250 people in a group. Find out more.

  • Meta trials Facial Recognition to combat "Celeb-Bait" Scams: Meta is testing a feature to detect "celeb-bait" scams, where fraudsters exploit public figures' images to trick users into clicking on fraudulent ads. Find out more.

OSINT

In VN#009, I shared information about the challenge, and now Graylark Technologies, the creator of GeoSpy AI, has published the full solution to the $10k GeoSpy OSINT challenge from December 23, 2025. No one claimed the prize this time. Stay tuned for more challenges!

Tools

  • LinkedIn Post Inspector: Originally designed to refresh url previews, debug link issues, and optimize sharing, this tool also lets OSINT researchers view the original link for https ://lnkd.in/xxxxxx without clicking it. A similar trick works with Bitly links—just add "+" at the end of the url to see the original link and creation date.

  • LinkdTime: Developed by Luca 👋 (a very talented developer – check out his other OSINT tools), LinkdTime is a tool that gathers dates of comments, posts, and other activities on LinkedIn, generating timelines from multiple URLs.

  • GhostHunter: GhostHunter is a tool designed to uncover archived URLs from the Wayback Machine, allowing users to search for specific domain snapshots, filter by file extensions, and save results systematically.

Privacy

  • IntelTechniques offers a free comprehensive 10-Day Security Guide designed to enhance your digital hygiene and personal cybersecurity. This guide provides actionable steps to bolster your online privacy and security over a ten-day period.

Google Updates

  • An early access to Google’s new AI Mode. Here’s what you need to know.

  • Google reports Deepfake Terrorism Content: Google has reported more than 250 instances of AI-generated deepfake terrorism content to Australian regulators, highlighting the challenges in managing AI-generated media.

  • YouTube enhances teen safety features: YouTube has announced updates to its safety tools aimed at protecting teenage users, including stricter privacy settings and improved reporting mechanisms..

Darknet

  • US Sanctions Iranian Darknet Marketplace: The US has imposed sanctions on an Iranian-affiliated Nemesis darknet marketplace, targeting entities associated with illicit activities.

  • Seizure of Russian Crypto Exchange Garantex: US and European authorities have seized the website of Garantex, a Russian cryptocurrency exchange linked to darknet markets and ransomware operations.

  • DarkwebDaily.live is a platform that aggregates only admin-verified darknet links, monitors their uptime in real-time, and emphasizes privacy by avoiding JavaScript, trackers, and analytics. More info here.

Upcoming CyberSec / OSINT Events

Free

  • Free 45-Minute OSINT Webinar – March 12, 2025, at 5 PM EST. Register via Zoom.

  • Predict Lab's (CEO Baptiste Robert) x Flare: Deanonymizing Threat Actors Webinar – March 18, 2025, 11 AM - 1 PM ET. Suitable for beginners to experts. Online attendance earns CPE credit towards security certifications. Check it here.

  • InCyber Forum Europe – April 1-3, 2025. The event itself is free, but additional workshops are paid. It will be held at the Lille Grand Palais in France. Last year, I couldn't attend, but this year I will be there. It would be great to meet you there! The OSINT day looks sweet! The Event.

🙃Bonus

The National Child Protection Task Force (NCPTF) is currently seeking a Volunteer Open-Source Intelligence Analyst. Deadline 14.03.2025

Volunteer Opportunity: Open-Source Intelligence Analyst - National Child Protection Task Force

For a limited time, we’re accepting applications for volunteer Open-Source Intelligence (OSINT) Analysts! Apply by March 14, 2025

ncptf.org/volunteer-opportunity-osint-analyst/?ref=alicjapawlowska.com