Sign in Subscribe
7 min read

this week in security — march 9 2025 edition

VMware hypervisor escape bugs exploited, Apple appeals UK backdoor order, NTT Com hack hits thousands of orgs, and more.

THIS WEEK, TL;DR

'Emergency' VMware bugs allow hypervisor escape; under attack
DoublePulsar ($): If you're an organization that runs VMware, listen up. There's a new trio of bugs dubbed "ESXicape" that allows malicious hackers to escape the protective sandbox of a VMware virtual machine and compromise the underlying hypervisor, ergo every other virtual machine on that server. It's particularly nasty as the bugs, chained together, can allow an attacker to escalate "a small amount of access at an org to full access at potentially multiple orgs," according to @GossiTheDog, who's had some of the best insights into this bug thus far. Patches are out, as are exploits — these bugs are being actively exploited as zero-days — so fix ASAP, and don't let this one go by.
More: Broadcom | VMware (GitHub) | TechCrunch | CSO Online | @GossiTheDog

Apple takes legal action in U.K. amid encryption backdoor row
BBC News: Interesting development from the U.K.! A couple of weeks ago, Apple said it was nuking its Advanced Data Protection feature (which encrypts iCloud data so nobody else can access it) in the United Kingdom. What Apple isn't legally allowed to say is that it's because the British government secretly demanded access to any iCloud customer's data anywhere in the world. Now, Apple is launching unspecified legal action at the U.K.'s Investigatory Powers Tribunal, which hears surveillance cases in secret, in an effort to overturn the demand. The case could be heard in the next few weeks, per the Beeb. Maybe folks in the U.K. will get reprieve in the end? Meanwhile: Looks like the U.K. government scrubbed much of its encryption advice from its web pages, per @alecmuffett, which isn't a particularly good look for U.K. cyber officials.
More: Financial Times ($) | Cryptography Engineering | @privacymatters

New details of Bybit's hack of $1.4B emerge
The New York Times ($): Much, much more detail here on how the hack at Bybit, the world's second largest crypto exchange, went down. Per the Times, North Korean hackers (which have been blamed by the FBI [PDF] for the heist) exploited a bug in Bybit's security by hacking into the laptop of a developer who works at Safe, a crypto storage firm that Bybit relies on, per Safe's incident report. The North Koreans planted malicious code capable of manipulating transactions. The Wall Street Journal ($) reports that when Bybit's CEO Ben Zhou went to approve a "routine" transfer of about $80 million, Zhou's CFO would later say that the entire contents of the cold wallet — around $1.4-ish billion in crypto — was stolen. $1.4B is the largest heist in history, and so far, most of it's been successfully laundered.
More: Chainalysis | Elliptic | TechCrunch | CryptoSlate

~ ~

THE STUFF YOU MIGHT'VE MISSED

Was Cyber Command and CISA ordered to stand down on Russia?
Zero Day: So, what did happen last week when the Department of Defense reportedly (key word here!) ordered Cyber Command (which launches offensive cyber campaigns) and CISA (which works on cyber defense and intel sharing) to effectively "stand down" on Russian offensive cyber operations and threat tracking? And why did CISA and DOD deny the story as strenuously as they did? If any story warrants careful post-match analysis, it's this one, and @kimzetter, as usual, breaks this one down with absolute precision.

Former NSA official: 'Grave concerns' over U.S. cyber cuts
Rob Joyce: Former NSA cybersecurity director @rgblights testified to Congress this week on the threats faced by the U.S. from China, primarily, including Salt Typhoon (which hacked the hell out of U.S. telcos last year). But Joyce also, as an aside, warned of "grave concerns" to U.S. government cuts of probationary employees (with less than a year on the job) across the cyber domain. Around 130 probationary employees cut from CISA alone, per CBS News. "Eliminating probationary employees will destroy a pipeline of top talent, essential for hunting and eradicating [China-nexus] threats," said Joyce. His remarks can be read here, and the full hearing is online via the House committee page.

A photo of Rob Joyce (former NSA cyber director), then Emma M. Stewart (Idaho National Lab) and Laura Galante (former Office of the DNI) pose for a photo in front of the House chamber for the Committee on the CCP that they're about to testify to.

HCRG sent journalist legal demand to take down reporting on data breach
DataBreaches.net: U.K. health giant HCRG was hit by a ransomware attack last month; we know as such because the company admitted it in a legal demand that it sent to DataBreaches.net for reporting on its breach. HCRG, which said in the letter (I've seen it!) that it was hit by a "ransomware cyber-attack," threatened prison time and fines, citing a secret U.K. court injunction that the company obtained, demanding DataBreaches.net remove its posts. Given DataBreaches.net is run out of the United States and protected by the First Amendment, its operator Dissent Doe declined and instead posted about the legal threat. HCRG, meanwhile, hasn't put anything on its website about the hack. Slapping journalists with legal threats is the worst; so I wrote some words, too. (Disclosure alert!)

Scammers targeting U.S. execs with fake ransom notes
TechCrunch: Ransomware is going retro: The FBI is warning that scammers are impersonating the BianLian ransomware gang by mailing fake ransom demands to U.S. corporate executives. The letters claim access, then demand payment via a QR code to not publish the data. But, per the FBI's latest IC3 [PDF] warning, it's a scam, not that anyone should be paying the ransom (the FBI has long urged). GuidePoint has a copy of the letter and what to watch out for. @briankrebs has a snap of one of the ransom notes.

~ ~

~ ~

OTHER NEWSY NUGGETS

Rubrik confirms log server hack: Cybersecurity firm Rubrik confirms that... cybersecurity is difficult(!) after reporting a breach of one server containing log files, "most of which" contained non-sensitive information (so there was some sensitive data)... prompting the company to rotate its internal keys. The company said it had no evidence of unauthorized access to customer data... well maybe it can check its logs serv... oh. (via Rubrik, Bleeping Computer)

Silk Typhoon still hackin': The hacking group known as Silk Typhoon (of the wider Typhoon family of China-backed hackers) are still hacking, per Microsoft, and now targeting flaws in enterprise tech products, such as Ivanti's latest zero-day that was discovered as recently as January. This follows the gang's use of a stolen BeyondTrust key to breach the Treasury in December. Relatedly: The DOJ charged a dozen hackers that it claims are directly involved in Silk Typhoon (remember I-Soon?) and APT27, which hack on behalf of the Chinese government. (via DOJ, TechCrunch, Microsoft)

NTT Com says 18,000 orgs had data stolen: You know it's a rough week when you have to notify 18,000 customers — no, no, not people — companies — that their employees' data was stolen in a recent breach, but that's what NTT Com, one of Japan's largest enterprise networking tech giants, had to 'fess up to this week. In a statement, the company said phone numbers, email and postal addresses were taken from a service order database — but no word yet on how many individuals had data stolen. (Read: it'll probably be a lot.) (via NTT Com)

Feds link crypto breach to LastPass hack: For years now, Brian Krebs has been warning that hackers have been cracking the master passwords of customers' LastPass vaults stolen following the company's massive hack in 2022, with the goal of gaining access to the passwords of crypto wallets and draining them of their funds. LastPass has consistently said it's seen no evidence between the theft of its customers' password vaults and several major crypto hacks. But in new court filings, the U.S. feds have reached the same conclusion as Krebs and others — that crooks are cracking customers' stolen vaults and using them to steal huge gobs of crypto. If you haven't changed your ostensibly protected passwords since 2022, now would be a good time. (via Krebs on Security)

Intel partners weigh sharing less intel: Several major intelligence partners to the U.S., including the Five Eyes (think U.K., Canada, Australia and NZ) as well as others, like Saudi and Israel, are considering sharing less intelligence with the U.S. government amid the Trump administration's "warming relations with Russia," according to sources speaking with NBC. Remember, plenty of countries still distrust Russia and Putin (and for good reason). (via NBC News)

~ ~

THE HAPPY CORNER

Welcome to the happy corner, some say the Calmest Place™ on the internet.

First off, hats off to this kid, who is clearly onto a good idea.

Dr. Amy, Psy.D post on Mastodon: "I met a child today (not a client) who meowed when I said hi. The parent said, 'that’s what she does when she doesn’t want to talk to someone.' I’ll be adopting this practice."

Here's a fun weekend project: the EFF have open-sourced and published their Rayhunter cell-site simulator detector, which can detect some cellular spying from law enforcement devices. It's pretty easy to get started, and you only need a $20 hotspot as hardware. The project is on GitHub, too. (I can't wait to try it out for myself like the folks at Wired ($) did at the DNC last year.) Also, @neurovagrant has some posts, too; apparently it can take as little as 10 minutes to get started.

Meanwhile... this post made me chuckle. Keep a pair in your "in case of cyberattack" break-glass box.

Alissa post on Mastodon: "Scissors: the ultimate firewall ✂️"

And finally, this week. A final moment of zen from Inspirational Skeletor, who always has your best interests at heart (plus: technically bonus cybercat!).

Inspirational Skeletor post, showing Skeletor in a onesie blanket with a glass of wine, on a couch with a cat(!) and a fireplace in the background, featuring the words: "mastering being detached from everything yet being connected to everything at the same time… is the secret to life"

If you have good news you want to share, get in touch at: this@weekinsecurity.com.

~ ~

CYBER CATS & FRIENDS

This week's cybercat-friend is Gabby, who can be seen here snoozing while waiting for their human to finish VR'ing for the day! Thanks so much to Karma for sending in; and a special shout-out to Mr. Pudalof who was the catalyst to getting Karma into VR gaming and software development — that's so awesome to hear!

Gabby is a geriatric dachshund, who is brown and very cute and sleeping, waiting for her human to get off of VR to play.

Keep sending in your cyber-cats! Drop me an email at any time with a photo of your cyber cat (or non-feline friend) along with their name, and they'll be featured in an upcoming newsletter. Feel free to send in updates, too; always welcome!

~ ~

SUGGESTION BOX

Thanks so much for reading this week's newsletter! It was yet another busy week from, well, ~gestures wildly in every direction~ and as usual, I'll be back next with all you need to know from the past seven days in cyber-land.

Please do get in touch to share anything for the newsletter. For now, I'm off to get a bagel and enjoy the first day of daylight saving... a very near-7pm sunset today here in the New York City area, and I am absolutely here for it.

Meow for now, I guess?
@zackwhittaker

Published by:

Zack Whittaker