Massive Research into iOS Apps Uncovers Widespread Secret Leaks, Abysmal Coding Practices

Article Link: https://cybernews.com/security/ios-apps-leak-hardcoded-secrets-research/  

• The Cybernews research team conducted a comprehensive analysis of over 156,000 iOS applications that revealed 71% contained hardcoded secrets, exposing more than 815,000 sensitive credentials.
• These embedded credentials, ranging from API keys to cloud storage and payment processor data, could allow attackers to access user information, financial records, and backend services without detection.
• Researchers discovered nearly 83,000 hardcoded cloud storage endpoints, with 836 lacking authentications, exposing around 406 terabytes of data. Additionally, over 51,000 Firebase endpoints were identified, thousands of which were accessible without authentication.
• Security recommendations from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and Cybernews researchers stress that developers must eliminate hardcoded secrets, adopt secure credential management, perform regular audits, and integrate automated scanning tools to detect risks before release.

AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution

Article Link: https://www.trendmicro.com/en_us/research/25/c/ai-assisted-fake-github-repositories.html

• Attackers are using artificial intelligence to create fake repositories loaded with malware, disguising them as legitimate tools to bait unsuspecting users.
• These fraudulent projects pose as game cheats and software cracks, fooling users into opening ZIP files that unleash SmartLoader and LummaStealer onto their systems.
• Once executed, the malware siphons cryptocurrency wallets, steals personal data, and bypasses two-factor authentication, putting victims at risk of financial loss and identity fraud.
• Researchers from Trend Micro stress the importance of verifying repositories, downloading only from trusted sources, enabling security protections, and staying alert to AI-driven social engineering schemes.

US Govt Says Americans Lost Record $12.5 Billion to Fraud in 2024

Article Link: https://www.bleepingcomputer.com/news/security/us-govt-says-americans-lost-record-125-billion-to-fraud-in-2024/

• Americans lost a staggering $12.5 billion to scams last year—a 25% spike from 2023—marking the highest total ever recorded, according to the Federal Trade Commission (FTC).
• Fake investment schemes drained $5.7 billion, while imposter scams—where criminals pose as trusted people or companies—racked up nearly $3 billion in stolen funds.
• Young adults (ages 20-29) fall victim most often, representing 44% of all reported losses. Older adults (ages 70-79) lose the most per scam, averaging $8,000 per incident.
• The agency warns Americans to double-check investment offers, ignore unsolicited messages, monitor financial accounts, and stay alert to fast-changing scam tactics. The FTC is also cracking down on fraud with consumer protection rules like the Telemarketing Sales Rule (TSR).

U.S. Cities Warn of Wave of Unpaid Parking Phishing Texts

Article Link: https://www.bleepingcomputer.com/news/security/us-cities-warn-of-wave-of-unpaid-parking-phishing-texts/

• A widespread scam is targeting U.S. residents with fraudulent text messages about unpaid parking violations, threatening additional daily fines to pressure victims into paying.
• Victims receive texts claiming to be from city parking authorities, warning of unpaid parking invoices that will incur a $35 daily fine if not settled immediately. The message includes a link to a fake website designed to steal personal and financial information.
• Numerous cities, including Annapolis, Boston, Charlotte, Denver, Detroit, Greenwich, Houston, Milwaukee, Salt Lake City, San Diego, and San Francisco, have reported these scams targeting their residents.
• Authorities instruct residents not to click links in unsolicited messages, confirm any parking violation notices through official city channels, and report suspicious texts to local law enforcement or the Federal Trade Commission (FTC).

The Rise of AI-Powered Cyber Threats: How Adversaries Are Using “Good Enough” Tactics to Outsmart Defenders

Article Link: https://www.cyberdefensemagazine.com/the-rise-of-ai-powered-cyber-threats-how-adversaries-are-using-good-enough-tactics-to-outsmart-defenders/

• Cybercriminals are using artificial intelligence to automate, scale, and sharpen their attacks, making breaches faster and harder to stop.
• AI-powered infostealers snatch passwords, financial data, and personal info in seconds, fueling identity theft and account takeovers at a massive scale.
• AI-generated messages mimic real emails and texts with eerie accuracy, conning even the most cautious users into handing over credentials.
• The author, chief researcher at Blackpoint Cyber, stresses the need for more training for phishing recognition, AI-driven defenses, stronger multi-factor authentication, and real-time monitoring to stay ahead of AI-powered cybercrime.

CISA Warns of Windows NTFS Vulnerability Actively Exploited to Access Sensitive Data

Article Link: https://cybersecuritynews.com/cisa-warns-of-windows-ntfs-vulnerability-exploited/  

• The Cybersecurity and Infrastructure Security Agency (CISA) has added six Microsoft Windows vulnerabilities to its Known Exploited Vulnerabilities Catalog, including four flaws in the New Technology File System (NTFS).
• These vulnerabilities, CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2021-31956, allow attackers to access sensitive data, execute malicious code, or escalate privileges. One flaw exposes heap memory contents due to improper NTFS logging practices.
• Exploiting these weaknesses could lead to unauthorized data access, full system compromise, and ransomware attacks, threatening both federal agencies and private networks.
• The agency requires federal agencies to apply Microsoft’s March 2025 Patch Tuesday updates by April 1, 2025. CISA suggests organizations apply these patches without delay, restrict the use of untrusted removable media, and track suspicious activity to block potential attacks.

Microsoft: Recent Windows Updates Make USB Printers Print Random Text

Article Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-usb-printers-print-random-text-after-recent-windows-updates/

• Users report USB printers spewing random text and symbols following recent Windows updates, causing widespread frustration.
• After installing updates since late January 2025, especially KB5050092, printers supporting both USB Print and IPP Over USB protocols are malfunctioning. They unexpectedly print network commands and unusual characters, often starting with “POST /ipp/print HTTP/1.1.”
• The issue impacts Windows 10 version 22H2 and Windows 11 versions 22H2 and 23H2, while the latest Windows 11 24H2 remains unaffected.
• Microsoft deployed a Known Issue Rollback (KIR) to stop the issue. The fix rolls out automatically but can take up to 24 hours to reach all devices. Users can speed up the process by restarting their systems, while IT administrators managing enterprise devices can apply a Group Policy for faster resolution.

Hackers Using Advanced MFA-Bypassing Techniques to Gain Access to User Accounts

Article Link: https://cybersecuritynews.com/hackers-using-advanced-mfa-bypassing-techniques/

• Cybercriminals are deploying stealthy new techniques to bypass MFA, breaking into accounts despite additional security layers.
• Cybersecurity R&D company Quarkslab details these attacks, which involve manipulation of authentication flaws, including timing gaps and weaknesses in verification processes, to trick systems into granting access without completing secondary checks.
• These sophisticated methods often leave no trace, making it nearly impossible for security teams to spot intrusions until unauthorized activity is discovered.
• Recommendations to block these advanced attacks include reviewing authentication settings, monitoring for unusual login behavior, and restricting outdated MFA methods.
• Technical analysis: https://blog.quarkslab.com/technical-dive-into-modern-phishing.html

Phishing Campaign Impersonating Booking.com Targets Hospitality Sector with Malware

Article Link: https://www.infosecurity-magazine.com/news/clickfix-phishing-scam-booking/  

• Microsoft warns of hacker group dubbed “Storm-1865” posing as Booking.com to deceive hotel staff into revealing credentials via “ClickFix” social engineering attacks.
• Scammers send fake emails about guest complaints, promotions, or account verification, enticing victims into clicking malicious links disguised as Booking.com login pages. A fake CAPTCHA instructs users to engage in a set of keystrokes and clicks resulting in the deployment of info-stealing malware.
• This scam has been active since December 2024, hitting hospitality businesses across North America, Europe, Asia, and Oceania, with no signs of slowing down.
• The company appeals to partners and customers to confirm requests through official Booking.com channels and also to remember: “It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone.”