Jan 17 2025
Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s the Elon Musk to cybercrime’s Keir Starmer 🤣😂🤣😂🤣
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to Microsoft, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
🚨 Microsoft’s 2025 Patch Bonanza! 🛠️
Microsoft kicked off the year with 161 security fixes, including 3 actively exploited zero-days in Hyper-V (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) that can grant SYSTEM access. These flaws have landed in CISA’s KEV list—patch by Feb 4, 2025! 🔒
🔥 Highlights
Critical RCE Vulnerabilities:
📧 CVE-2025-21298: Malicious emails in Outlook can lead to RCE.
🛡️ CVE-2025-21295 & CVE-2025-21311: SPNEGO and NTLM flaws allow remote or privilege escalation attacks.
🗄️ BitLocker Risk (CVE-2025-21210): Attackers with physical access could recover sensitive data from hibernation images. 😬
🔧 What to Do
✅ Update ASAP: Focus on Hyper-V, Outlook, and BitLocker patches.
✅ Stay Cautious: Avoid suspicious files and emails.
This is Microsoft’s largest patch drop since 2017—don’t get caught unprepared! Secure your systems and stay safe in 2025! 🚀✨
Now, on to this week’s hottest cybersecurity news stories:
🕸️ Web3 developers targeted w/ ‘Operation 99’ fake LinkedIn profiles 👤
🕵🏻♂️ PlugX malware deleted from 4,250 hacked computers by FBI 👮🏼
👨👨👧👧 Millions exposed to failed startup domain flaw via 0Auth vuln 🐞
The notorious Lazarus Group 🎭, linked to North Korea 🇰🇵, is back with Operation 99, targeting developers in Web3 🌐 and crypto 💰 with crafty job scams.
🎬 The Plot
1️⃣ Fake recruiters 🤝 on LinkedIn lure victims with freelance gigs.
2️⃣ Victims clone malicious GitLab repositories 🖥️ filled with hidden malware.
3️⃣ Malware connects to C2 servers 🌍, embedding itself in victims’ systems.
🌍 Global Reach
Major hits in Italy, US, UK, France, and Germany.
🛠️ Malware Arsenal
Main99 🪓: Downloads more malware.
Payload99 💾: Steals files, tracks activity, & keeps the malware running.
Brow99 🔓: Swipes browser data for passwords.
MCLIP ⌨️: Monitors keystrokes & clipboard in real-time.
🎭 Sophisticated Tactics
🔹 AI-Generated LinkedIn Profiles 🤖 make the recruiters look legit.
🔹 Coding projects 🧑💻 are just bait to deliver malware.
💡 Why It Matters
Lazarus Group uses stolen crypto 🪙 to fund their regime, making this a high-stakes game for Web3 and crypto developers.
🛡️ Stay Safe
🚫 Don’t trust unverified job offers.
🛑 Avoid cloning random repositories 🖥️.
🔍 Use advanced threat detection tools!
🛠️ The Lazarus Group is evolving their scams to outsmart even vigilant developers. Stay alert, and don’t get caught in Operation 99’s net! 🕵️✨
Everyone talks about AI, but no one has the time to learn it. So, we found the easiest way to learn AI in as little time as possible: The Rundown AI.
It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.
Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.
The FBI has successfully wiped PlugX malware (aka Korplug) from over 4,250 infected computers 🌍 in a multi-month cyber cleanup!
💡 What is PlugX?
PlugX is a remote access trojan (RAT) 🐉 linked to Chinese state-sponsored hackers, including the notorious Mustang Panda 🐼. This malware enables:
Remote control 🕹️ of infected devices
Data theft 📂, targeting dissidents, governments, and businesses
🎯 Targets Spanned the Globe
U.S., Taiwan, Hong Kong, India, Japan, and more were hit, highlighting its widespread reach.
🛡️ How the FBI Fought Back
🔍 Working with Paris prosecutors and Sekoia, the FBI initiated a self-delete command 🗑️ in July 2024, erasing the malware from infected systems without harming legitimate files.
⚙️ Steps Taken to Clean Systems
1️⃣ Deleted PlugX files and registry keys 🗂️
2️⃣ Stopped the malware process 🚫
3️⃣ Removed residual directories and temporary files 📤
🎉 Key Wins
✔️ Over 59,475 disinfection payloads sent across 10 countries
✔️ PlugX eradicated from home and corporate devices in the U.S. and beyond
🌐 Lessons Learned
This operation underscores the aggressive tactics of PRC-backed hackers and the growing need for proactive defense against state-sponsored threats.
🛡️ Stay Safe
💾 Keep software updated
🔒 Be wary of USB devices
🚨 Report suspicious activity
Cybersecurity is a team sport—let’s stay vigilant! 💻✨
Business news explained in plain English
Straight facts, zero fluff, & plenty of puns
100% free
🛡️ New Research Alert! A flaw in Google’s "Sign in with Google" flow exposes users to data theft when failed startups’ domains are reused. Here's the scoop:
🐾 How It Works
1️⃣ Hackers buy domains from defunct startups 💰.
2️⃣ They recreate old employee email accounts 📩.
3️⃣ Boom! Access granted to SaaS platforms like Slack, Zoom, and HR systems 🗂️—no password needed!
💥 What’s at Stake?
🔑 Sensitive data galore:
📄 Tax forms, pay stubs, social security numbers
🤫 Confidential candidate feedback and job offers
🔑 Crypto keys, business documents, and more
⚙️ Why It Happens
🔄 Google’s OAuth sends apps user info based on email + domain 🏷️.
🛑 If apps don’t use Google’s unique sub claim as a user ID, attackers can impersonate users after domain changes.
🔍 The Fixes?
✅ Google updated docs: "Always use the sub field as a unique ID" 🛡️.
✅ For companies: Delete user data when accounts close ✂️.
✅ For apps: Implement strong account management 🛠️.
💡 Pro Tips for You
📧 Never reuse old domains for sensitive accounts.
🗑️ Always wipe data from SaaS platforms when leaving a startup.
🔐 Verify apps follow OAuth best practices.
🚨 This is a wake-up call for startups, SaaS providers, and users—secure your data before it’s too late! 🚀✨
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!