This Week in Cyber 28th February 2025

Analyst Insight

This Week in Cyber, we have seen an increase in threat actors stealing cryptocurrencies from both exchanges and individuals. This is proven in Lazarus Group stealing a record breaking $1.5 billion in crypto from the ByBit exchange, there is also a new malware campaign masquerading as open-source projects hosted on GitHub moving users crypto into an attacker controlled wallet. We also saw a major French telecommunications operator being breached by a notorious ransomware gang. There is also a debate about the privacy and security concerns about Apple removing advanced data protection.

Lazarus Group Behind $1.5bn Crypto Theft

The notorious Lazarus group are thought to have been behind a crypto theft from the cryptocurrency exchange Bybit. Bybit released a statement on Friday detailing the incident as it was identified. They described the compromise of a smart contract that masked the fraudulent transaction during a routine transfer between one of their cold and hot wallets. Independent crypto fraud investigator ZachXBT discovered links between the hackers and Lazarus group after finding a wallet previously used by the group in the chain of subsequent transfers. These discoveries were further substantiated by the crypto intelligence company TRM Labs. It seems Lazarus may have beat their previously held yearly theft record already, blowing last years cumulative $1.34 billion of crypto thefts in one blow. 

GitVenom Malware Steals $456k in Bitcoin using Fake GitHub Projects

Kaspersky has identified an ongoing campaign that is masquerading as open-source projects hosted on GitHub. These fake projects, written in multiple languages, launch an embedded malicious payload that is designed to retrieve additional components from the attack-controlled GitHub. Among these modules are infostealers designed to crack passwords and collect information to be exfiltrated to threat actors via Telegram. Bundled with the infostealer are remote access tool such as AsyncRat, which are there for the purpose of assuming control over infected hosts. Clipper malware is also deployed in order to allow the threat actor to move cryptocurrency into an adversary-controlled wallet. Furthermore Bitdefender has revealed that the scammers are seeking to exploit major e-sports events, in order to exploit and target players of popular games. 

Apple Removes Advanced Data Protection Ability from Devices

After pressure from the UK Home Office for the right to be able to access data in Apple devices, the tech giant removed their Advanced Data Protection (ADP) ability from their iCloud service. ADP adds an extra layer of protection to the device, so Apple can’t see or gain access to data held on the iCloud account. Additionally, law enforcement can’t see or gain access to that data either and Apple does not hold the encryption key.

The removal will make it much easier for law enforcement to request access to data held on the iCloud service, overall making it easier to gather evidence against criminals. But some backlash from customers has arisen, with concerns for data security and privacy.

Large Botnet Targets Microsoft 365 Accounts in Credential Spraying Attack

A massive botnet comprising of over 130,000 systems has been launching large-scale password-spraying attacks on Microsoft 365 through a lesser known non interactive authentication feature which is not commonly monitored by security teams. The method allows the threat actors to perform high volume password spraying attacks with a low chance of detection by security teams, increasing the risk of account takeovers and other security breaches.

"As we have seen direct evidence of this behaviour in our noninteractive sign-in logs, we encourage anyone operating a M365 tenant to immediately verify whether they are affected, and if so, to rotate credentials belonging to any organization accounts in the logs" advises SecurityScorecard.

Orange Confirms Data Compromised by Hellcat Ransom Group Member

Telecommunications giant “Orange” has confirmed that a hacker stole thousands of internal documents with user records and employee data. Claims of the data leak by the threat actor was first sighted on BreachForums after an unsuccessful extortion attempt on the firm, posted by a user under the alias “Rey” who has been attributed to the Hellcat Ransomware Group. The data is predominantly from the Romanian branch of the company, with 380,000 unique email addresses, source code, invoices, contract, customer and employee information.

The threat actor in an interview with BleepingComputer told that “the breach was not a HellCat ransomware operation and that they had access to Orange’s systems for over a month”.