🚨 Week 8 Debrief: Bybit $1.46B Hacked, BlackBasta's Downfall, Italian Banks and Airports DDoS Attack, Salt Typhoon Compromises US Telecom, Grok 3 Vuln & more

Bybit, a cryptocurrency exchange, experienced a massive $1.46 billion hack linked to North Korea's Lazarus Group. The attackers deceived Bybit's security team using a fake user interface (UI) that masked the real transaction details, ultimately granting the hackers control over Bybit’s Ethereum cold wallet. The compromised wallet was then emptied, with all ETH transferred to an unknown address. Despite the breach, Bybit assures users that other wallets remain secure, and withdrawals are functioning normally. The hack is potentially connected to the recent Phemex exploit, suggesting a coordinated operation. Bybit has reported the incident to law enforcement and is collaborating with on-chain analytics providers to track and recover the stolen funds. The exchange has also received $4 billion in liquidity support to maintain platform stability. Lazarus Group is actively laundering the stolen funds through mixers and cross-chain bridges.

Key points:

• Initial reports of suspicious outflows from Bybit surfaced, with ZachXBT reporting $1.46 billion in outflows.

• Bybit CEO Ben Zhou confirmed the hack, explaining how the security team was tricked by a masked UI.

• Only one ETH cold wallet was affected, while other wallets remain secure.

• Arkham Intelligence linked the attack to the Lazarus Group, a North Korean cybercriminal organization.

• The hack is connected to the Phemex hack, suggesting a coordinated operation.

• Bybit has reported the incident to law enforcement and is working to blacklist attacker addresses.

• The exchange received $4 billion in liquidity support to ensure platform stability.

• Lazarus Group is laundering the stolen funds by converting ERC-20 tokens into ETH, swapping ETH for BTC, and gradually offloading Bitcoin into CNY via Asian exchanges.

• Cross-chain bridges like Chainflip have taken temporary actions to slow the movement of funds.

• OKX is assisting Bybit with IT security and liquidity support.

💻 Malware and Vulnerabilities

Elon Musk's AI chatbot, Grok 3, had a security flaw that allowed users to access its backend. A coder found a line of code that could be used to access Grok's systems. The issue was quickly patched, but not before raising concerns about the security of sensitive government data, given Musk's work with the Department of Government Efficiency (DOGE). Critics also mocked the lack of basic security features like server-side validation. Musk has touted Grok 3's capabilities and alignment with his own views.

CISA added Palo Alto Networks and SonicWall flaws to its KEV catalog, requiring federal agencies to patch them. The flaws include: CVE-2025-0108, an authentication bypass in Palo Alto Networks PAN-OS; CVE-2024-53704, an authentication vulnerability in SonicWall SSLVPN; and CVE-2025-0111, an external control of filename vulnerability in Palo Alto Networks PAN-OS. Exploit attempts of CVE-2025-0108 are surging, and CVE-2024-53704 is being weaponized.

📈 Breaches and Incidents

Chinese hackers (Salt Typhoon/Red Mike) compromised Cisco devices globally, targeting telecom providers. They exploited CVE-2023-20198 and CVE-2023-20273 to access sensitive data. Over 1,000 devices were targeted, including those in the U.S., U.K., and South Africa. The group installed GRE tunnels for persistent access. The U.S. sanctioned Sichuan Juxinhe for its involvement. The attacks highlight the risk of state-backed cyber espionage.

A major data leak exposed 25 million records from Lietvaris, a Latvian document management system used by the Latvian government. The data, stored on an unprotected Elasticsearch cluster, included names, national IDs, and home addresses of Latvian citizens. The vulnerability was quickly addressed after discovery. Researchers recommend securing servers, compliance review, and monitoring.

Pro-Russia group NoName057(16) launched DDoS attacks on Italian airports and banks. Sites for Milan airports, Intesa San Paolo bank, and transport authority were disrupted. The attacks followed Italian President Mattarella's remarks comparing Russia's actions to the Third Reich. The group previously targeted Italy during Zelensky’s visit. The Italian National Cybersecurity Agency (ACN) mitigated the attacks.

🚨 Threat Intel & Info Sharing

The FBI warns of Ghost ransomware, a dangerous campaign targeting multiple industries across 70+ countries. Ghost exploits known vulnerabilities in software/firmware to access internet-facing servers. The FBI advises immediate backups, patching, network segmentation, and MFA. Ghost actors have been seen exploiting vulnerabilities, including those in Fortinet, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange.

Leaked files from TopSec, a Chinese cybersecurity firm, reveal its probable involvement in internet censorship for the Chinese government. The data leak included over 7,000 lines of work logs and code, revealing scripts connecting to Chinese government hostnames, academic institutions, and news sites. TopSec offers web content monitoring services, including detection of events related to tampering and sensitive words. The leak highlights the close ties between the Chinese government and private cybersecurity firms.

Chinese cybersecurity firms investigated the NSA's alleged cyberattack (APT-C-40) on Northwestern Polytechnical University in 2022. The NSA's Tailored Access Operations (TAO) reportedly used over 40 malware strains for data theft. Attack patterns showed US working hours and holidays. Investigators traced the attack through human error, tool overlaps, and IPs purchased via cover companies. The NSA allegedly used zero-days, MiTM, and tools like FOXACID and SECONDDATE for access and persistence.

BlackBasta ransomware group's internal chatlogs have been leaked, revealing internal conflicts and a subsequent disbanding. The logs, spanning from September 2023 to September 2024, show disputes caused by a key player, 'Tramp,' prioritizing financial gain. Several members, originally from Conti, have migrated to Cactus and Akira ransomware groups. The leak exposes relationships, network access details, and operational insights, indicating that cybercriminals are their own worst enemies.

Russian state hackers increasingly target Signal accounts of Ukrainian military and government officials to access sensitive information. They use phishing with malicious QR codes, exploiting Signal’s “linked devices” feature. Sandworm linked captured battlefield devices to their systems. Another group, UNC4221, used a Signal phishing kit mimicking a Ukrainian military app. They also steal Signal database files from devices. Signal is enhancing security to combat these attacks.

⚖️ Laws, Policies and Regulations

Apple has stopped offering end-to-end encrypted iCloud backups in the UK due to a legal order. The UK government issued a Capability Notice, requiring Apple to provide access to encrypted data. New UK users won't have the option to enable Advanced Data Protection (ADP). Existing users with ADP enabled will need to disable it. This means Apple and authorities can access user data, raising privacy concerns. Users can explore third-party apps or avoid backing up sensitive data to iCloud.

Data Embassies: A New Strategy for Cyber Resilience Smaller nations are creating "data embassies" in other countries to protect their citizens' data. These data embassies host data under the owner's laws, providing redundancy against cyberattacks or disasters. Countries like Estonia, Monaco, and Singapore are participating. Challenges include costs, geopolitics, and evolving data sovereignty laws. A network of data embassies may offer a more resilient solution.

⚖️ Cybersecurity Start Ups and VCs

Verkada, a security systems developer, secured $200M in Series E funding led by General Catalyst, valuing the company at $4.5 billion. Founded in 2016, Verkada offers video security cameras, access control, and environmental sensors, enhanced with AI. They have over 1.5 million devices online, serving 30,000 customers. Other security startups like Tines and Semgrep also raised significant funding this month.

📊 Trends, Reports, Analysis

NailaoLocker ransomware hit European healthcare organizations between June and October 2024. The attacks, dubbed "The Green Nailao campaign," exploited a Check Point VPN appliance zero-day (CVE-2024-24919). Attackers used RDP for lateral movement, deploying ShadowPad and PlugX malware. NailaoLocker, written in C++, encrypts files with the ".locked" extension and demands Bitcoin ransom, but unusually doesn't threaten data theft. The attacks highlight the increasing targeting of healthcare by state-aligned groups.

Beware of a sophisticated 4-step hack targeting Amazon Prime users! Scammers use realistic-looking emails about expired subscriptions to steal login credentials and payment data. The attack leads victims through fake security alerts and login pages. Enabling two-factor authentication and using a bookmarked login page can prevent this. Always report suspicious activity to Amazon.

📅 Upcoming Events

🚀 Join us for an exclusive virtual event in March, where AI and cybersecurity experts will discuss how AI and Machine Learning are revolutionizing cyber defense. This session will feature expert panel discussions exploring AI-driven threat detection, automated response strategies, and the future of intelligent security.

This is a limited virtual event tailored for CISOs and executives. It is free to join so register today Form

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.