Sign in Subscribe
7 min read

this week in security — february 2 2025 edition

Musk has 'full access' to sensitive Treasury systems, DeepSeek exposed database, WhatsApp says Paragon spyware hacked dozens, and more.

THIS WEEK, TL;DR

Musk's DOGE team now has access to Treasury's payments system
The New York Times ($): Elon Musk's team of Department of Government Efficiency (DOGE) representatives has swept across government over the past week, locking out career civil servants at the Office of Personnel Management (the federal government's HR department) from their critical computer systems, and taking over the General Services Administration. Now, Musk and his team has "full access" to the Treasury's highly sensitive payments systems after the Treasury Secretary Scott Bessent granted the approval in the same week as ousting the department's top career official, who resisted the access. These payment systems are used for disbursing $6 billion or so to Americans, like tax rebates and Social Security checks, and contain highly personal information about the people who receive them, amid fears that Musk could selectively switch off payments to individuals. Ron Wyden said Musk's access was a national security risk, given his conflicts over his extensive business in China (which, let's not forget, has hacked the heck out of America of late). One former Republican strategist called Musk's access "the most significant data leak in cyber history... Private individuals in the data business now have access to your Social Security information." State AGs — well, some of them — will have a field day with this.
More: Reuters ($) | Wired ($) | TechCrunch | Associated Press | New Republic | @gregsargent | @stuartpstevens

FBI seizes Cracked, Nulled hacking forums in Operation Talent
Bleeping Computer: The FBI* (*what's left of the FBI) have seized the websites of two prolific hacking forums Cracked and Nulled, which prosecutors said allowed more than 10 million users between them to trade in hacking tools and stolen personal data. The FBI began seizing the domains on Jan. 29, which we saw thanks to public DNS changes. Two more sites were seized, too. The takedown operation, dubbed Operation Talent, saw two people arrested. A ton of countries were behind the takedown operation, including Australia, Germany, Greece and Spain. Bad news for anyone of the 10 million users between them, your data is in the hands of the feds. Per the DOJ, Cracked had stolen data on some 17 million Americans.
More: Reuters ($) | Cyberscoop | TechCrunch

DeepSeek exposed database spilling chat histories
Wiz: DeepSeek, the Chinese AI company, has become all the rage in recent weeks, allegedly outperforming some Western models. But one thing it wasn't doing so well was keeping its backend databases secured from the open internet. Wiz discovered one of its exposed databases without any authentication, containing a million logs — including chat histories (of what was entered into the prompts and what came back) and other sensitive information, like API keys. (These exposures are almost always due to human error.) DeepSeek secured the database after Wiz reached out — and later confirmed the fix in a note to the Wiz researcher, @galnagli. Wired ($) had a very good write-up.
More: Reuters ($) | Cyberscoop | @vxunderground

vx-underground tweet, with a meme of a man looking visibly upset by "China having your chat logs," but seems fine with "Everyone having your chat logs."

WhatsApp disrupts hacking campaign targeting journalists with Paragon spyware
TechCrunch: And here we are again. Meta's WhatsApp unit said it disrupted an attack that saw 90 users — including journalists and members of civil society — have their phones hacked with zero-click spyware developed by Paragon by way of malicious PDFs. (Lockdown Mode ftw!) No need to update your devices this time as WhatsApp fixed the bug at the server side. It's not clear which Paragon customer (read: government) ordered the spying, but at least one Italian journalist was notified of the hacking. Paragon is Israeli-made spyware but was just recently agreed to be acquired by AE Industrial, a U.S. private equity giant — so that's going to complicate things... Paragon is classic spyware, it punches into your phone without you knowing. U.S. ICE signed a contract with Paragon's U.S. subsidiary last year, but apparently comes with safeguards to prevent customers overseas from targeting U.S. citizens (but not the U.S. government...)
More: The Guardian | NBC News | The Record

~ ~

THE STUFF YOU MIGHT'VE MISSED

All Apple devices get security updates after zero-day exploited
Apple: Every Apple device got updates this week — from iPhones to iPads, Macs, Apple Watches and TVs, and its Vision Pro headset — thanks to a zero-day bug under attack in CoreMedia, the media engine shared across various Apple platforms. This is Apple's first zero-day of the year. (Phhrrbbt.... 🥳 — no, not this time!) Details of the bug weren't disclosed — but have occasionally been related to spyware compromises. Devices running software older than iOS 17.2 were actively hacked, whereas other devices were just vulnerable (or that no exploitation was detected). Update all of your devices!

Meet the 23-year-old who infiltrated a North Korean laptop farm
Sasha Ingber: Fascinating story of threat intelligence CEO Aidan Raney, who told the story of how he infiltrated a North Korean IT worker operation aimed at exploiting U.S. businesses. This story goes behind the scenes and offers rare insights into how the North Korean operation works — to gain employment, earn money, then steal and extort corporate data — the so-called "triple threat" — all to fund the regime's nuke program.

SonicWall reports new zero-day under attack
TechCrunch: It's update-your-tech o'clock again. This time it's SonicWall warning of a new unauthenticated bug in its widely used SMA1000 software used to remotely manage a range of its corporate firewalls. The bug, tracked as CVE-2025-23006 was flagged by Microsoft but details of exploitation remain slim. SonicWall is the latest in a long string of enterprise tech makers that've been hit by device hacks in recent years — thanks to their buggy tech products. It's a little ironic, given these devices are meant to protect from outside threats and intruders, but given their position on the network as digital gatekeepers, the simplest bug can undermine the entire product's security, rendering it moot and the network it's protecting compromised. Hundreds of companies are affected by this latest bug, per @nekono_naha.

Almost one-in-10 people use the same four-digit PIN
ABC (Australia): Fascinating research from Have I Been Pwned's database of "pwned passwords," or passwords that have been previously breached and therefore no longer unique (read: unsafe). Aussie news outlet ABC took 29 million four-digit PIN codes from the database and discovered the most popular reused PIN codes. Of course, there are some predictable ones — 1234, 0000, and the like — though some might surprise you — but the analysis is pretty smart and worth reading. And, if you're using a more predictable code (since there are only 10,000 of them), this might make you rethink your choices. (via @troyhunt)

A graph showing the popularity of 4-digit passcodes. In this example. it shows 2580 "might seem like a strange one to be in the top 40" popular passcodes, but that it's four vertical digits on a phone keypad.

ExtensionHound analyzes DNS queries from Chrome extensions
Amram Englander: Since Chrome extensions (and other browser plugins) have come under the spotlight of late, including "sync-jacking" attempts and just plain-old hacking into developer accounts, analyzing potentially problematic extensions for shady code or network connections can be tricky. ExtensionHound is a new open-source project that can identify DNS queries made by browser extensions for suspicious traffic. (via @campuscodi and @df1r633k)

~ ~

OTHER NEWSY NUGGETS

PowerSchool begins disclosure after huge hack: School management software maker PowerSchool has begun formally notifying affected individuals of its breach. So far, the company has disclosed to state AGs that well over a million people had information stolen in the hack — which was so far blamed on a stolen credential with no MFA. PowerSchool says it "cannot confirm" (or won't — take your pick) a precise number of affected individuals yet. The number is likely to extend into the tens of millions, per Bleeping's report. (via TechCrunch, PowerSchool )

Gemini AI, help me hack: Hackers linked to China, Iran and other not-so-friendly nations are using AI to beef up their cyberattacks against U.S. and global targets, per U.S. officials and new research from Google's threat intel folks. Google's own Gemini was used to help write malicious code and hunt for vulnerabilities (flex much?). AI use by adversarial nations isn't new, but clearly it's becoming an increasing part of the hackers' research capabilities. (via Google, WSJ ($))

MGM hacks hit 37 million people... twice: What's worse than a massive hack of 37 million people? A hack of 37 million people, twice. That appears to have been the case after a historical hack in 2019 saw millions of MGM customer records posted online, then a ransomware attack in 2023 that saw much of MGM's Las Vegas properties hit by extensive outages and disruption. Following the breaches, customers sued in a bunch of class action suits. Now consolidated into one mega-class action, MGM has agreed to pay $45 million to settle the breaches — though, 30% of the payout goes straight to the lawyers. (via The Record, WSJ ($))

AngelSense spilled customers' location data: AngelSense, a GPS tracking company for people with disabilities, left an exposed logging database to the internet without a password, which contained reams of sensitive and personal information from AngelSense systems — including real-time precise location data of individuals being tracked. The data was accessible from the web browser, and viewable in plaintext. (Disclosure alert: I wrote this story.) UpGuard found the database and alerted the company — which took a week and a follow-up phone call to offline the database. (via UpGuard, TechCrunch)

~ ~

~ ~

THE HAPPY CORNER

Welcome back to the happy corner, where everyone is welcome. Remember, it's not a controversial opinion to care about other people.

Cue a much-needed Inspirational Skeletor, since it's all we have this week.

An Inspirational Skeletor meme, which reads: "Owning our story and loving ourselves through that process is the bravest thing we'll ever do."

If you have good news you want to share, get in touch at: this@weekinsecurity.com.

~ ~

CYBER CATS & FRIENDS

Franklin is this week's cybercat, who... *whispers*... can be seen here ready to report this week's top cybersecurity news. Don't want to interrupt your recording, Franklin... oh — psst! — thanks to Ingrid S. for sending in!

Franklin is a brown fluffy kitty sitting on their human's desk in front of a microphone.

Keep sending in your cyber cats! (or a non-feline friend). Drop me an email at any time with their name and a photo, and they'll be featured in an upcoming newsletter!

~ ~

SUGGESTION BOX

That's it for this week's... messy news situation. As always, please do drop me an email if you want to get in touch with anything about or for the newsletter. It's really lovely hearing from you — and your cybercats (or friends).

Your cyber friend,
@zackwhittaker

Published by:

Zack Whittaker