Feb 28 2025
Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s wants to gut cybercrime like Elon’s gutting America’s federal government #DOGE 😂😂😂
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to CISA, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
🚨 CISA Adds Microsoft & Zimbra Flaws to KEV List – Patch Now! 🔧
CISA has flagged two actively exploited security flaws in Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS) in its Known Exploited Vulnerabilities (KEV) catalog. 🚨
⚡ The Vulnerabilities:
1️⃣ CVE-2024-49035 (CVSS 8.7) – Microsoft Partner Center
Privilege escalation flaw allowing attackers to gain higher access.
Patched in November 2024 – Update ASAP!
2️⃣ CVE-2023-34192 (CVSS 9.0) – Zimbra ZCS
Cross-Site Scripting (XSS) flaw lets attackers inject malicious scripts.
Fixed in July 2023 (Version 8.8.15 Patch 40).
🔧 Immediate Action Required!
✅ Federal agencies must patch by March 18, 2025.
✅ If you use Zimbra or Microsoft Partner Center, update immediately!
⚠️ No public exploit details available, but don’t wait—these flaws are already being used in the wild! Stay secure! 🔒✨
Now, on to this week’s hottest cybersecurity news stories:
💦 Leaked: Black Basta ransomware inner workings. Strap in ☕
⚠️ BEWARE: 5 ACTIVE malware campaigns in Q1 2025 📅
👨🏻💻 Hackers access compromised Linex systems w/ new malware 👾
Gif by snl on Giphy
A massive leak of over 200,000 internal chat messages from the Black Basta ransomware gang has exposed their tactics, conflicts, and key members. The leak, spanning Sept 2023 – Sept 2024, was published by a mysterious figure, ExploitWhispers, who claimed they did it because Black Basta targeted Russian banks.
🔥 Key Takeaways from the Leak
🔹 Infighting & Betrayal – Some members scammed victims by taking ransom payments without providing a decryptor 💰🚫
🔹 Major Defections – Top members have moved to rival ransomware groups CACTUS & Akira
🔹 17-Year-Old Hacker? – A minor is allegedly part of Black Basta’s operations 😱
🔹 New Focus on Social Engineering – Inspired by Scattered Spider’s tactics 🎭
🔹 Exploits & Initial Access – They target weak RDP, default VPN credentials, and SMB misconfigurations to break into networks 🔓
💰 Black Basta’s Impact
⚠️ 500+ victims across North America, Europe, & Australia
⚠️ At least $107M in ransom payments in Bitcoin since 2022 💵
⚠️ Uses malware droppers & legit file-sharing platforms (transfer.sh, temp.sh) to evade detection 🕵️♂️
🛑 Ransomware Moves Faster Than Ever
📢 Once inside, Black Basta can take over a network in minutes! Cybersecurity experts warn that attackers no longer waste time once they breach an organization.
🌍 Ransomware Surge Continues
Meanwhile, other major ransomware gangs like Cl0p & Ghost are ramping up attacks:
🔹 Cl0p exploits new vulnerabilities (CVE-2024-50623) to breach organizations 🔓
🔹 Ghost actors (China-based) attack critical infrastructure, schools, healthcare, and businesses using old exploits 🏴☠️
🔐 How to Stay Protected
✅ Patch vulnerabilities & secure RDP/VPN access 🔄
✅ Monitor for unusual file-sharing traffic 🧐
✅ Educate employees about phishing/social engineering 📧
✅ Have a ransomware response plan in place 🚨
The ransomware ecosystem is shifting—but leaks like these expose their inner workings and help defenders fight back! 🔥
Tech companies and data brokers profit off of your personal information. This makes you vulnerable to spam, fraud, and phishing attempts. Cloaked searches you across 120+ data brokers to remove your info. And then, generate unlimited email IDs, phone numbers to stand in place of your real identity.
The first quarter of 2025 saw aggressive new malware campaigns, with cybercriminals refining their attack techniques. Here are five major threats identified so far:
🖥️ NetSupport RAT – Remote Control via Fake CAPTCHAs
Cybercriminals used ClickFix attacks to deliver NetSupport RAT by injecting fake CAPTCHA pages into compromised sites. Victims unknowingly executed malicious PowerShell commands, granting attackers:
🔹 Full remote access to their systems
🔹 Keystroke logging & credential theft
🔹 Persistent system modifications for stealth
💰 Lynx Ransomware – Expanding Ransomware-as-a-Service
Lynx RaaS has rapidly grown, targeting businesses worldwide with:
🔹 80% revenue share for affiliates 💵
🔹 Data theft before encryption for double extortion 🔐
🔹 Recent attacks on law firms & truck dealerships 🚛
🕵️ AsyncRAT – Phishing with TryCloudflare Tunnels
Attackers deployed Python payloads via Dropbox phishing links, hiding AsyncRAT inside:
🔹 LNK shortcuts & PowerShell scripts
🔹 Encrypted communications for stealth
🔹 Credential theft & persistent access
🛑 Lumma Stealer – Hiding in GitHub Releases
Cybercriminals abused GitHub to distribute Lumma Stealer, which:
🔹 Steals browser credentials, cookies, and crypto wallets
🔹 Delivers additional malware (Vidar, Cobeacon)
🔹 Uses registry modifications to maintain access
🎭 InvisibleFerret – Fake Job Scams Targeting Professionals
Disguised as legitimate software in fake job interviews, InvisibleFerret:
🔹 Steals sensitive data & source code
🔹 Blends malicious traffic with normal activity
🔹 Uses advanced obfuscation to avoid detection
🔐 Stay Safe!
✅ Avoid unknown links & downloads
✅ Monitor network traffic for suspicious activity
✅ Keep software & security tools updated
Cybercriminals are getting smarter—staying informed is the first step to staying secure! 🚨
With Deel’s Business Case for Global Hiring Guide, you’ll discover how to overcome the most common global hiring challenges and what route works best for your expanding workforce.
Get our guide for the best talent
A new Linux malware, Auto-Color, has been found targeting universities and government agencies in North America and Asia between November and December 2024. It grants full remote access to infected machines, making it extremely difficult to remove.
🎭 How Auto-Color Evades Detection
🔹 Uses harmless-looking file names (e.g., door, egg) 🥚
🔹 Hides C2 communications by modifying /proc/net/tcp 📡
🔹 Deploys a malicious library (libcext.so.2) for persistence 🛠️
🔹 Protects /etc/ld.preload to block removal 🚫
🔥 How It Works
1️⃣ Requires manual execution on a Linux machine
2️⃣ If launched as root, it installs itself in /var/log/cross/auto-color 📁
3️⃣ Hooks into system calls to hide activity 🔍
4️⃣ Contacts a C2 server to receive remote commands 🔗
🕵️ What Attackers Can Do
❌ Spawn a reverse shell for remote access
❌ Modify, create, or delete files 📝
❌ Gather system information 📊
❌ Turn the infected machine into a proxy 🌍
❌ Uninstall itself with a built-in kill switch 🔪
🔐 How to Stay Safe
🚨 Avoid running unverified executables
🔄 Monitor /etc/ld.preload for unauthorized modifications
🛡️ Use endpoint security to detect unusual network activity
Auto-Color is stealthy, persistent, and highly evasive—making vigilance key to defense! 🚧
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!
