Week that Was for 03.01.25

At a glance.

• FBI attributes $1.5 billion Bybit hack to DPRK hackers.
• Apple removes end-to-end encryption for iCloud in the UK.
• Sweden will seek backdoor access to encrypted messaging apps.
• Cellebrite suspends services in Serbia following allegations of misuse.
• Qilin ransomware gang claims responsibility for attack against Lee Enterprises.
• JavaGhost uses compromised AWS environments to launch phishing campaigns.
• Lotus Blossum cyberespionage campaigns target Southeast Asia.
• Chinese APT targets healthcare firms with Trojanized medical applications.

FBI attributes $1.5 billion Bybit hack to DPRK hackers.

The US Federal Bureau of Investigation (FBI) has confirmed that North Korean hackers were behind last week's theft of $1.5 billion worth of Ethereum from the Bybit cryptocurrency exchange. The FBI attributes the hack to an activity cluster tracked as "TraderTraitor," which is tied to Pyongyang's Lazarus Group.

The Bureau provided a list of fifty-one Ethereum addresses holding assets from the theft, stating, "FBI encourages private sector entities including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from addresses TraderTraitor actors are using to launder the stolen assets."

Bybit CEO Ben Zhou has shared the results of two investigations into the hack, BleepingComputer reports. Investigators from Sygnia concluded that "the root cause of the attack is malicious code originating from Safe{Wallet}'s infrastructure." Researchers at Verichains added, "The attack specifically targeted Bybit by injecting malicious JavaScript into app.safe.global, which was accessed by Bybit's signers. The payload was designed to activate only when certain conditions were met. This selective execution ensured that the backdoor remained undetected by regular users while compromising high-value targets....Based on the investigation results from the machines of Bybit's Signers and the cached malicious JavaScript payload found on the Wayback Archive, we strongly conclude that AWS S3 or CloudFront account/API Key of Safe.Global was likely leaked or compromised."

The hack currently stands as the largest heist of any kind in history, surpassing Saddam Hussein's theft of $1 billion from the Central Bank of Iraq in 2003.

Apple removes end-to-end encryption for iCloud in the UK.

Apple has removed its Advanced Data Protection (ADP) feature for iCloud users in the UK following a secret legal demand by the British government, the Record reports. ADP provides end-to-end encryption for iCloud accounts. The British government had issued a Technical Capability Notice (TCN) requiring Apple to maintain the ability to access users' iCloud data when served a legal warrant. Rather than complying with the order, which would have required building a backdoor capability affecting Apple users worldwide, the company opted to disable the ADP feature in the UK. Apple said it was "gravely disappointed" that ADP is no longer available for British users, adding, "As we have said many times before, we have never built a backdoor or master key to any of our products, and we never will."

US Director of National Intelligence Tulsi Gabbard has ordered a legal review of the UK government's demand, the Record reports. Gabbard said in a response to a letter from Senator Ron Wyden (Democrat of Oregon) and Representative Andy Biggs (Republican of Arizona), "I share your grave concern about the serious implications of the United Kingdom, or any foreign country, requiring Apple or any company to create a 'backdoor' that would allow access to Americans' personal encrypted data. This would be a clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors."

Gabbard added, "My lawyers are working to provide a legal opinion on the implications of the reported UK demands against Apple on the bilateral Cloud Act agreement. Upon initial review of the U.S. and U.K. bilateral CLOUD Act Agreement, the United Kingdom may not issue demands for data of U.S. citizens, nationals, or lawful permanent residents, nor is it authorized to demand the data of persons located inside the United States. The same is true for the United States – it may not use the CLOUD Act agreement to demand data of any person located in the United Kingdom."

Sweden will seek backdoor access to encrypted messaging apps.

The Swedish government is set to propose a bill next month that would force Signal and WhatsApp to create backdoors for law enforcement to access users' messages, Infosecurity Magazine reports. The Signal Foundation's president Meredith Whittaker said Signal will leave the Swedish market if the law passes, stating, "Asking us to store data would undermine our entire architecture and we would never do that."

The bill is supported by the country's law enforcement and security services, with Minister of Justice Gunnar Strömmer stating, "The ability of law enforcement authorities to effectively access electronic communications is crucial." The Swedish Armed Forces opposes the bill, however, saying the law could not be implemented "without introducing vulnerabilities and backdoors that could be exploited by third parties."

Cellebrite suspends services in Serbia following allegations of misuse.

Israeli cell phone data extraction firm Cellebrite has dropped the Serbian government as a customer following a report that the Serbian police had used the company's tools to hack the phones of a journalist and an activist, TechCrunch reports. Amnesty International published a report in December 2024 asserting that Serbian authorities used Cellebrite's hacking software in combination with an Android-focused spyware tool to "covertly infect individuals’ devices during periods of detention or police interviews."

Cellebrite said in a statement, "We take seriously all allegations of a customer’s potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement. After a review of the allegations brought forth by the December 2024 Amnesty International report, Cellebrite took precise steps to investigate each claim in accordance with our ethics and integrity policies. We found it appropriate to stop the use of our products by the relevant customers at this time."

Qilin ransomware gang claims responsibility for attack against Lee Enterprises.

The Qilin ransomware group has claimed responsibility for an attack against Iowa-based newspaper publisher Lee Enterprises, SecurityWeek reports. The group claims to have stolen around 350 GB of data, including "investor records, financial arrangements that raise questions, payments to journalists and publishers, funding for tailored news stories, and approaches to obtaining insider information." Qilin is threatening to publish the data on March 5th unless the company pays the ransom.

Lee Enterprises, which publishes more than 350 newspapers across 25 US states, sustained a "cyber incident" on February 3rd which disrupted at least 75 of its publications. The company has avoided using the term "ransomware" but it did mention in an SEC filing that the attackers "encrypted critical applications and exfiltrated certain files."

JavaGhost uses compromised AWS environments to launch phishing campaigns.

Palo Alto Networks' Unit 42 warns that the JavaGhost threat actor is compromising misconfigured AWS environments and using them to launch phishing campaigns. The group gains entry to the AWS environments via exposed long-term access keys. Once they've gained access, the attackers use the victim's Amazon Simple Email Service (SES) and WorkMail services to send out phishing emails. Since the emails are sent from a legitimate source, they're more likely to bypass security filters.

To defend against these attacks, Unit 42 recommends that AWS users limit access to administrative rights, rotate IAM credentials regularly, use short term/just-in-time access tokens, and enable multi-factor authentication.

Lotus Blossum cyberespionage campaigns target Southeast Asia.

Cisco Talos is tracking multiple cyberespionage campaigns by the Lotus Blossom threat actor targeting government, manufacturing, telecommunications, and media entities in Vietnam, Taiwan, Hong Kong, and the Philippines. The researchers note that the operation "appears to have achieved significant success." The campaigns involve the Sagerunex remote access tool, which is exclusively used by Lotus Blossom. The Sagerunex backdoor abuses legitimate cloud services such as Dropbox, Twitter (now X), and Zimbra for its C2 communication.

Talos doesn't attribute LotusBlossom to any particular nation-state, but Microsoft has previously linked the group to China.

Chinese APT targets healthcare firms with Trojanized medical applications.

Forescout warns that a Chinese APT tracked as "Silver Fox" is targeting healthcare organizations with malware disguised as the Philips DICOM viewer, a popular software for viewing medical images. The Trojanized viewers are designed to "infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain."

Forescout notes, "While these DICOM viewers likely target patients rather than hospitals directly, as patients often use these applications to view their own medical images, the risk to [Healthcare Delivery Organizations] remains significant. In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks."

Patch news.

Security researcher Dawid Kulikowski has discovered and reported a critical remote code execution vulnerability (CVE-2025-27364) affecting MITRE's Caldera security training platform, the Register reports. The flaw has been assigned a CVSS score of 10.0, and can allow "remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants)." Users are urged to update to the latest version of Caldera as soon as possible.

Crime and punishment.

Police in Thailand have arrested a 39-year-old Singaporean man suspected of involvement in over ninety data leaks. Group-IB, which assisted in the joint operation between the Royal Thai Police and the Singapore Police Force, said in a press release, "Operating under aliases ALTDOS, DESORDEN, GHOSTR and 0mid16B, the arrested individual was one of the most active cybercriminals in the Asia-Pacific since 2021, targeting companies and businesses in Thailand, Singapore, Malaysia, Indonesia, India, and many more."

The security firm added, "The main goal of his attacks was to exfiltrate the compromised databases containing personal data and to demand payment for not disclosing it to the public. If the victim refused to pay, he did not announce the leaks on dark web forums. Instead he notified the media or personal data protection regulators, with the aim of inflicting greater reputational and financial damage on his victims. Later he also asserted pressure on his victims by sending direct customer notifications via email or via instant messengers to force them into submission."