⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [27 February]

This week, our news radar shows that every new tech idea comes with its own challenges. A hot AI tool is under close watch, law enforcement is shutting down online spots that help cybercriminals, and teams are busy fixing software bugs that could let attackers in. From better locks on our devices to stopping sneaky tricks online, simple steps are making a big difference.

Let’s take a closer look at how these efforts are shaping a safer digital world.

⚡ Threat of the Week

DeepSeek’s Popularity Invites Scrutiny — The overnight popularity of DeepSeek, an artificial intelligence (AI) platform originating from China, has led to extensive scrutiny of its models, with several analyses finding ways to jailbreak its system and produce malicious or prohibited content. While jailbreaks and prompt injections are a persistent concern in mainstream AI products, the findings also show that the model lacks enough protections to prevent potential abuse by malicious actors. The AI chatbot has also been targeted by what the company said were “large-scale malicious attacks,” prompting it to temporarily limit user registrations. The service has since been banned in Italy over data protection concerns. Texas Republican Governor Greg Abbott has also issued a ban on DeepSeek for government-issued devices.

Free Shadow AI Inventory. Uncover All GenAI Accounts Today

With new AI tools like DeepSeek popping up daily, it’s critical to know who’s using which AI apps and where they are connected to other apps. Start a free trial of Nudge Security and uncover all GenAI use, even apps you’ve never heard of and accounts created before you started the trial.

Get started

🔔 Top News

• Law Enforcement Operation Takes Down Illicit Cybercrime Services — A series of law enforcement operations have taken down various online marketplaces such as Cracked, Nulled, Sellix, StarkRDP, and HeartSender that sold hack tools, illegal goods, and crimeware solutions. Millions of users are estimated to have been impacted, earning the threat actors hundreds of thousands of dollars in illegal revenues.
• Apple Fixed an Actively Exploited Zero-Day — Apple released software updates for iOS, iPadOS, macOS, tvOS, visionOS, and watchOS to address a zero-day vulnerability (CVE-2025-24085) that it said has been exploited in the wild. The flaw is a use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges. There are currently no details available on how it has been weaponized in real-word attacks, who may have been targeted, and the scale of the attacks.
• New WhatsApp Spyware Campaign Targets 90 Individuals — Meta-owned WhatsApp disclosed it disrupted a campaign that involved the use of spyware owned by an Israeli company named Paragon Solutions to target about 90 journalists and civil society members. The attack chain is said to be zero-click, meaning the deployment of the spyware occurs without requiring any user interaction. The company noted the targets were spread across over two dozen countries, including several in Europe. The development marks the first time Paragon, which claims to provide “ethically based tools” to “disrupt intractable threats,” has been linked to spyware misuse.
• Patched Mitel Flaw Exploited by Aquabot — A Mirai botnet variant dubbed Aquabot is actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a rogue network capable of mounting distributed denial-of-service (DDoS) attacks. The flaw (CVE-2024-41710), a command injection vulnerability that allows for arbitrary command execution within the context of the phone, was addressed by Mitel in July 2024.
• UAC-0063 Uses Stolen Docs to Target Other Victims — A hacking group tracked as UAC-0063 has been linked to a series of attacks that involve the use of documents stolen from one victim as lures to target others and infect them with a known loader malware called HATVIBE. The attacks have also involved the deployment of a newly discovered USB data exfiltrator codenamed PyPlunderPlug in at least one incident targeting a German company in mid-January 2023.

‎️‍🔥 Trending CVEs

Your go-to software could be hiding dangerous security flaws—don’t wait until it’s too late! Update now and stay ahead of the threats before they catch you off guard.

This week’s list includes — CVE-2025-0626, CVE-2024-12248, CVE-2025-0683 (Contec CMS8000), CVE-2025-22217 (Broadcom VMware Avi Load Balancer), CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221, CVE-2025-22222 (Broadcom VMware Aria Operations and Aria Operations for Logs), CVE-2024-55415, CVE-2024-55416, CVE-2024-55417 (PHP Voyager), CVE-2025-22604 (Cacti), CVE-2024-40891 (Zyxel), CVE-2025-23040 (GitHub Desktop), CVE-2024-52012 (Apache Solr), CVE-2025-0065 (TeamViewer), CVE-2024-12647, CVE-2024-12648, CVE-2024-12649 (Canon Laser Printers and Small Office Multifunctional Printers), CVE-2025-0493 (MultiVendorX plugin), CVE-2024-12822 (Media Manager for UserPro plugin), CVE-2025-0851 (Deep Java Library), CVE-2025-20061, CVE-2025-20014 (mySCADA myPRO), CVE-2024-13448 (ThemeREX Addons plugin), CVE-2025-0357 (WPBookit plugin), CVE-2024-1354 (Bootstrap Ultimate theme), CVE-2024-56404 (One Identity Identity Manager), CVE-2024-53299 (Apache Wicket), and CVE-2024-12857 (AdForest theme).

📰 Around the Cyber World

• Microsoft Previews Scareware Blocker in Edge — Microsoft said it’s adding a new scareware blocker to its Edge browser to defend against tech support scams that use fake web pages to fool victims into thinking that their systems are infected with malware, and persuade them to either call a fake support number or gain unauthorized access to their systems. “Scareware blocker uses a machine learning model to recognize the tell-tale signs of scareware scams and puts users back in control of their computer,” the company said. “The model uses computer vision to compare full screen pages to thousands of sample scams that the scam-fighting community shared with us. The model runs locally, without saving or sending images to the cloud.” Last year, the U.S. Federal Trade Commission (FTC) fined two tech support firms Restoro and Reimage $26 million over charges that they lured consumers with fake Microsoft Windows pop-ups, stating their computers were compromised with viruses. The development comes as Microsoft said it’s continuing to roll out safeguards against brand impersonation attempts in Teams, a technique adopted by various threat actors for malware propagation.
• Brazil Bans Tools for Humanity From Paying People for Iris Scans — Brazilian data privacy regulators have prohibited Tools for Humanity (TFH), a biometric identity company co-founded by OpenAI CEO Sam Altman, from offering compensation to citizens for iris scans, saying such data collection practice interferes with a person’s decision to grant consent for access to sensitive personal data. “Consent for the processing of sensitive personal data, such as biometric data, must be free, informed, unequivocal and provided in a specific and highlighted manner, for specific purposes,” the National Data Protection Authority (ANPD) said. TFH told The Record that it follows all laws and regulations in the country. The ban coincided with a complaint filed by the European Consumer Organisation (BEUC), criticizing Meta for its pay or consent policy and for failing to give users a fair choice.
• New Research Uncovers Intel TDX Vulnerability — Intel Trust Domain Extensions (TDX) has become a crucial CPU-level technology aimed at strengthening the isolation and security guarantees of virtual machines to protect sensitive data and applications from unauthorized access. This also means that vulnerabilities discovered in the technology can undermine its confidentiality and integrity objectives by breaching the isolation between the Virtual Machine Manager (VMM) and Trust Domains (TDs). A new study by a group of researchers from the Indian Institute of Technology Kharagpur and Intel has uncovered a critical flaw in TDX’s Performance Monitoring Counters (PMC) virtualization that breaks the isolation between the VMM and TD, as well as between different TDs running concurrently on the same system. “In a particular scenario where the VMM and a TD are co-located on the same core, resource contention arises, exposing the TD’s computation patterns on PMCs collected by the VMM for its own processes making PMC virtualization ineffective,” the study said.
• Threat Actor Infects Over 18K Devices Using Trojanized RAT Builder — An unknown threat actor is going after script kiddies to trick them into downloading a trojanized version of the XWorm RAT builder via GitHub repositories, file-sharing services, Telegram channels, and YouTube videos to compromise over 18,459 devices globally. The top countries impacted include Russia, the U.S., India, Ukraine, and Turkey. “The malware uses Telegram as its command-and-control (C&C) infrastructure, leveraging bot tokens and API calls to issue commands to infected devices and exfiltrate stolen data,” CloudSEK researcher Vikas Kundu said. The malicious operation, however, has been disrupted by taking advantage of the malware’s kill switch to issue an “/uninstall” command over Telegram. It’s worth noting that machines that were not online when the command was sent remain compromised.
• Researchers Detail Browser Syncjacking Technique — A new attack method called Browser Syncjacking shows that it’s possible to take control of a victim’s device by installing a seemingly innocuous Chrome browser extension, highlighting how add-ons could become lucrative low-hanging fruits for attackers. It involves a series of steps that begins with the adversary creating a malicious Google Workspace domain and setting up several user profiles under it without any security features. The adversary then publishes an extension to the Web Store and tricks victims into installing it using social engineering techniques. Once installed, the extension is used to stealthily log the victim into a Chrome browser profile managed by the attacker using a hidden window, thus enabling the threat actor to push arbitrary Chrome policies on the profile. This includes urging victims to turn on Chrome Sync, allowing the attacker to access all of the victim’s secrets via the hijacked profile. The end goal, per SquareX, is to turn the whole browser into a managed browser controlled by the attacker, granting them the ability to enforce custom extensions that can be hosted on private links and don’t have to go through the Chrome Web Store vetting process. Installing one of these add-ons could be enough to harvest sensitive data and seize control of the system through a clandestine communication mechanism that makes use of Chrome’s Native Messaging API. Separately, recent research undertaken by security researcher Wladimir Palant has found that third-party extension developers are abusing a language translation feature built into the extension description system to push sketchy add-ons users search for legitimate extensions on the Web Store. Also discovered were an additional set of Chrome extensions capable of injecting ads into web pages, tracking website visits, affiliate fraud, and cookie stuffing attacks.
• Subaru Starlink Flaw Let Hackers Hijack Cars — A security vulnerability in Subaru’s Starlink connected vehicle service that could have granted unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan. Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have remotely started, stopped, locked, or unlocked any vehicle. It could also have been abused to retrieve the current location, as well as the history from the past year, accurate to within 5 meters and updated each time the engine starts. The vulnerability could also have allowed access to sensitive personal information, call history, previous ownership details, sales history, and odometer readings. The vulnerability in the web portal was fixed on November 21, 2024, within 24 hours of responsible disclosure by researchers Sam Curry and Shubham Shah. There is no evidence it was ever maliciously exploited in the wild. The flaws are just the latest in a series of vulnerabilities that have affected other carmakers, such as Kia and Mercedes-Benz.

🎥 Expert Webinar

• DevOps + Security = The Fast Track to Resilience — Tired of security slowing down development—or risky shortcuts putting you at risk? Join Sarit Tager, VP of Product Management at Palo Alto Networks, in this must-attend webinar to discover how to break the Dev-Sec standoff. Learn how to embed smart, seamless security guardrails into your DevOps pipeline, prioritize code issues with full ecosystem context, and replace “shift left” confusion with the clarity of “start left” success. If speed and security feel like a trade-off, this webinar will show you how to have both. Save your spot now.
• A Clear Path to Identity Security: Actionable Steps with Okta Experts — Struggling with identity security gaps that increase risks and inefficiencies? Join Okta’s experts, Karl Henrik Smith and Adam Boucher, to discover how the Secure Identity Assessment (SIA) delivers a clear, actionable roadmap to strengthen your identity posture. Learn to identify high-risk gaps, streamline workflows, and adopt a scalable, phased approach to future-proofing your defenses. Don’t let identity debt hold your organization back—gain the insights you need to reduce risk, optimize operations, and secure business outcomes.

P.S. Know someone who could use these? Share it.

🔧 Cybersecurity Tools

• Sniffnet: A free, open-source tool designed to help you easily monitor your Internet traffic. This cross-platform app lets you choose your network adapter, apply filters, and view real-time charts to see exactly what’s happening on your connection. Whether you’re checking overall stats, spotting unusual activity, or setting up custom alerts, Sniffnet puts clear, actionable insights right at your fingertips.
• IntelOwl is a powerful open-source tool designed to streamline and speed up threat intelligence management. If you’ve ever needed to pull data on malware, IP addresses, or domains from multiple sources with a single request, this is the platform for you. By integrating a wide range of advanced malware analysis tools and online analyzers, IntelOwl makes it easy to enhance your threat data while offering a variety of features to automate routine analyst tasks—saving time and boosting your response to emerging threats.

🔒 Tip of the Week

Windows’ Simple Ransomware Shield — Ransomware attacks can strike fast, but you have a built-in safeguard in Windows. Controlled Folder Access blocks untrusted apps from changing your important files, keeping your data safe. To activate it, open Windows Security, go to Virus & threat protection, click on Manage ransomware protection, and enable Controlled Folder Access. This simple step adds an extra lock on your digital files without needing any extra software.

Conclusion

As we wrap up this week’s update, think of your digital life as a home that needs constant care. Small actions—like updating your software, using strong passwords, or checking the settings on your apps—are like adding extra locks to your door. Every update or fix mentioned this week is a reminder: staying informed and taking simple steps can make a big difference.

Take a moment to review your devices and check if any updates are pending. Consider setting aside a few minutes each week to catch up on security news. Ask yourself: What can I do today to make my online space safer? Whether it’s using a trusted tool to manage your passwords or double-checking links before clicking, your actions help build a safer digital world for everyone.

Thank you for reading, and here’s to staying secure and smart in our everyday tech choices.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.