Citizen Lab's investigation reveals sophisticated spyware attacks exploiting WhatsApp vulnerabilities, implicating Paragon Solutions. Learn how their research exposed these threats and the implications for digital privacy.

Cybersecurity researchers at the Citizen Lab at the University of Toronto have exposed the use of sophisticated spyware named **Graphite**, developed by the Israeli firm Paragon Solutions, to target high-profile individuals through WhatsApp.

Their **investigation** reveals that a previously unknown zero-day vulnerability in WhatsApp’s software allowed the spyware to be installed on devices through a zero-click exploit, allowing adversaries to gain unauthorized access to targeted phones.

For your information **zero-click exploits** mean that a device can be compromised without the user clicking a link, opening a file, or performing any other action.

Attack flow explained (Source: The Citizen Lab)

****Graphite Spyware Servers Worldwide****

Paragon Solutions, established in 2019 by figures including former Israeli Prime Minister Ehud Barak, claims to differentiate itself by adhering to ethical standards, unlike other spyware vendors like the **NSO Group**.

However, Citizen Lab’s researchers mapped out servers attributed to Graphite, and identified suspected deployments against journalists, human rights activists, and government critics across multiple countries. This includes:

*   Italy
*   Israel
*   Canada
*   Cyprus
*   Denmark
*   Australia
*   Singapore

WhatsApp’s parent company, Meta, has confirmed that approximately 90 users in 24 countries were targeted. However, since the researchers are based in Canada; a significant aspect of the investigation focused on a Canadian client, the Ontario Provincial Police (OPP). The analysis uncovered links between Paragon and the OPP, revealing a systematic use of spyware capabilities among Ontario-based police services.

The Italian connection proved to be a focal point of the investigation. Forensic analysis of Android devices belonging to individuals notified by WhatsApp, including journalist Francesco Cancellato and Mediterranea Saving Humans founders Luca Casarini and Dr. Giuseppe Caccia, revealed clear indications of Graphite spyware.

Researchers identified a unique Android forensic artifact, BIGPRETZEL, which confirmed the presence of Paragon’s spyware on these devices. The Italian government initially **denied** any involvement but later **acknowledged** having contracts with Paragon.

Furthermore, the investigation extended to an iPhone belonging to David Yambio, a close associate of the confirmed Paragon targets. Apple threat notifications received by Yambio, coupled with forensic analysis, revealed an attempted infection with novel spyware, subsequently patched by Apple in iOS 18.

In response to Citizen Lab’s findings, Meta, along with Apple and Google, collaborated to address the security vulnerability. WhatsApp implemented a server-side fix, eliminating the need for users to update their apps. Apple also released a patch for its iOS operating system to protect iPhone users.

WhatsApp subsequently **notified** the targeted users. “If we believe that your device has come under threat, we may notify you about it directly via a WhatsApp chat,” the notification read.

****WhatsApp Attacks Persist Despite NSO Group Lawsuit Win****

Hackread.com earlier **reported** that the infamous Israeli spyware company, NSO Group, was held legally liable for compromising hundreds of WhatsApp accounts. Court found NSO Group responsible for breaching WhatsApp’s terms of service and exploiting a vulnerability to install its powerful Pegasus spyware on at least 1,400 devices, targeting journalists, human rights activists, political dissidents, and government officials.

Interestingly, CyberScoop **reported** in November 2024 that NSO Group continued to develop new malware based on WhatsApp exploits, even after Meta filed a lawsuit against them and that when WhatsApp disabled the Eden exploit, NSO Group created the Erised vector to target users until May 2020.

Now, the Citizen Lab’s findings indicate that Israeli spyware firms are continually focusing on exploiting WhatsApp vulnerabilities for spyware deployment and aggressively using them against journalists and activists.  

These cases show the never-ending struggle between technology companies and malicious actors seeking to compromise user privacy and the critical need for continuous caution, stricter security measures, and legal accountability within the spyware industry to protect digital privacy and **human rights**.

Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit

A new Zimperium report reveals that rooted Android phones and jailbroken iOS devices face growing threats, with advanced toolkits making detection nearly impossible for cybersecurity researchers.

Despite tighter security from **Apple and Google**, hackers and cybercriminals continue to exploit rooted and jailbroken devices for their attacks. A new report from mobile security firm Zimperium shared with Hackread.com ahead of its publishing on Thursday, warns that compromised mobile phones remain a major risk for businesses, as these devices are far more likely to be targeted by malware and system takeovers.

****What Are Rooting and Jailbreaking?****

**Rooting** (on Android) and **jailbreaking** (on iOS) give users full control over their devices. This allows customization beyond what manufacturers allow and also removes key security protections. A rooted or jailbroken can’t enforce security protocols like Google’s Play Integrity or Apple’s security checks, but they can install apps from unverified sources, disable security features, and modify system files, making them prime targets for cybercriminals.

According to Zimperium’s **research**, rooted Android devices are:

*   **3.5 times more likely** to be attacked by malware

*   **250 times more likely** to suffer a system compromise

*   **3,000 times more likely** to experience a filesystem breach

Depending on who the targeted victim is, a compromised phone can be used as an entry point into corporate networks, allowing attackers to steal sensitive data, launch phishing campaigns, and bypass OTPs.

****A Well-Equipped Toolkit of Hackers****

The security industry has worked hard to detect and block rooted devices, but hackers have also been catching up. Tools like Magisk, APatch, KernelSU, Dopamine, and Checkra1n are in active development, with some even designed to hide their presence to avoid scans.

Magisk, for example, uses a “systemless” root method that avoids modifying core system files, making them harder to detect. APatch takes a different approach by modifying kernel memory on the fly, leaving no permanent traces. These updated toolkits make it increasingly difficult for cybersecurity researchers to spot compromised devices before damage is done.

Overview of current rooting tools (left) and the threat chain of a rooted device leading to a security breach (right) via Zimperium.

****Decline in Rooting and Jailbreaking but Still a Threat****

Rooting and jailbreaking were a big deal from 2011 to 2019. Now that the number of rooted and jailbroken devices has declined, they still pose a serious risk, especially in workplaces where employees use personal phones for work.

Worse, this threat is not limited to small businesses; even employees at cybersecurity giants like Kaspersky Labs have had **their iPhones infected** by malware. A single compromised phone can give attackers access to corporate data, email accounts, and internal applications.

**J. Stephen Kowski**, Field CTO at cybersecurity firm SlashNext, highlights the issue, “When employees root or jailbreak their devices, they’re removing crucial security guardrails. This creates significant attack vectors for threat actors. Businesses need advanced threat detection that can identify compromised devices and block attacks without disrupting workflows.”

Nevertheless, companies need to take mobile security seriously. Traditional security solutions often fail to detect modern rooting tools, so businesses should invest in advanced mobile threat detection that can identify cybersecurity threats in real time. Here’s how a company can start tackling this threat:

*   **Educating employees** on the risks of rooting and jailbreaking

*   **Using mobile security solutions** that detect hidden modifications

*   **Blocking rooted and jailbroken devices** from accessing corporate networks

*   **Implementing strict app policies** to prevent sideloading of unverified software.

Rooted Androids 3,000x More Likely to Be Breached, Even iPhones Not Safe

Microsoft refuses to patch serious Windows shortcut vulnerability abused in global espionage campaigns!

A new Windows zero-day vulnerability is being actively exploited by at least 11 hacking groups linked to nation-states including North Korea, Iran, Russia, and China for years. Despite evidence of widespread attacks dating back to 2017, Microsoft has declined to issue a security patch, labelling the issue as “not meeting the bar for servicing.”

The vulnerability, tracked by Trend Micro as **ZDI-CAN-25373**, allows attackers to execute malicious code on Windows systems by hiding commands within shortcut (.lnk) files. When Trend Micro submitted proof of this vulnerability through their Zero Day Initiative bug bounty program, Microsoft categorized it as low severity and stated they would not address it with an immediate security update. No CVE identifier has been assigned to the flaw.

“We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; however, it is probable that the total number of exploitation attempts are much higher,” Trend Micro researchers stated in a **blog post** shared with Hackread.com.

****How the Vulnerability Works****

The vulnerability takes advantage of how Windows displays information about shortcut files. When a user right-clicks on a file to view its properties, Windows fails to show hidden malicious commands embedded within the file.

Hackers achieve this by inserting large numbers of blank spaces or other whitespace characters into the command line arguments of the shortcut file. These invisible characters effectively push the malicious commands beyond what’s visible in the Windows interface, making the file appear harmless to users.

What’s even more concerning, some North Korean threat actors including **Earth Manticore** (APT37) and **Earth Imp** (Konni), have created “extremely large” shortcut files, reaching sizes up to 70MB, to further complicate detection. This technique has proven effective enough that various state-backed hacking groups have exploited it in their attack methods for years.

The security firm’s analysis found that nearly half of the state-sponsored attackers exploiting this vulnerability originate from North Korea, with the remaining groups linked to Iran, Russia, and China. Approximately 70% of these campaigns focused on espionage and information theft, while over 20% aimed at financial gain.

According to researchers, organizations in various sectors are at high risk, including:

*   Government
*   Energy companies
*   Financial institutions
*   Military and defence
*   Telecommunications providers.

While most victims were detected in North America, researchers noted attacks across Europe, Asia, South America, and Australia. On the other hand, industry leaders are criticizing Microsoft for not addressing such a serious vulnerability.

**Thomas Richards**, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions expressed surprise at Microsoft’s decision.

“Actively exploited vulnerabilities are usually patched within a short period. It’s unusual for Microsoft to refuse to release a security patch in this situation given that it is actively being exploited by nation-state groups,” said Thomas. “Microsoft should address the vulnerability immediately to manage software risk and prevent further attacks and compromises of systems throughout the world.”

**Jason Soroko**, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), is not surprised by Microsoft’s decision.

“Exploiting the vulnerability involves manipulating how Windows displays shortcut files by padding command-line arguments with whitespace characters and if this method requires a chain of specific conditions or user interactions that are unlikely in everyday scenarios, Microsoft may view it as lower risk,” Jason explained. “If the ability to do this requires the attacker to elevate privileges using an endpoint compromise, I have seen Microsoft in the past express a similar viewpoint.”

****ZDI and Microsoft: A History of Cybersecurity Disputes****

This is not the first time ZDI has criticized Microsoft over a security vulnerability issue. In July 2024, ZDI **accused** Microsoft of failing to credit them in its Patch Tuesday update and criticized its lack of transparency in vulnerability disclosure.

Another researcher, Haifei Li of Check Point, who independently discovered the same vulnerability, also went unacknowledged, further highlighting the lack of communication from Microsoft.

Nevertheless, the fact that Microsoft has chosen not to issue a patch for this flaw leaves millions of users exposed to cybersecurity threats and puts organizations at risk as nation-state hackers continue to exploit it. Therefore, to stay protected, use a strong EDR solution to detect and block malicious .lnk files. Monitor network traffic for signs of compromise, train users to avoid suspicious links, and stay updated on security alerts.

11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017

Bengaluru, India, 19th March 2025, CyberNewsWire

**Bengaluru, India, March 19th, 2025, CyberNewsWire**

**Moving Beyond Detection to Real-Time, Automated Security Across Workloads, Cloud, and Infrastructure** 

SecPod, a global cybersecurity provider, has announced the General Availability of Saner Cloud, a Cloud-Native Application Protection Platform designed to provide automated remediation and workload security across multi-cloud environments. Unlike conventional security solutions that focus primarily on detection, Saner Cloud integrates security using AI-driven automation to remediate threats in real-time.

Security teams have long faced challenges managing disparate security solutions across cloud workloads, IT infrastructure, and endpoints, often resulting in fragmented operations and a high volume of unresolved alerts. Saner Cloud is designed to address these challenges by providing a unified security platform that continuously detects, prioritizes, and remediates vulnerabilities, misconfigurations, identity risks, and compliance violations—automatically and in real time.

During the launch, Chandrashekhar Basavanna, Founder & CEO of SecPod, emphasized the urgent need to rethink cloud security and shift towards an AI-powered, prevention-first model. 

> “Cloud security has long been reactive—detecting risks but failing to fix them. Security is only effective when threats are eliminated before they can be exploited. The industry has spent years chasing alerts but has failed to bridge the gap between awareness and action. AI now gives us the power to move beyond detection and automate remediation at scale. Saner Cloud ensures security is enforced in real time, across every workload, every piece of infrastructure, and every cloud environment.” – Chandrashekhar Basavanna, Founder and CEO of SecPod.

Unlike legacy cloud security solutions that focus only on cloud misconfigurations or identity risks, Saner Cloud secures the full attack surface, covering endpoints, servers, network infrastructure, cloud environments, and cloud workloads – all from a single platform. 

Saner Cloud leverages advanced AI-driven automation to eliminate manual security operations. Saner Cloud applies intelligent risk prioritization and executes remediation automatically, ensuring that security gaps are fixed before they can be exploited by attackers. By continuously learning from new attack patterns and security incidents, Saner Cloud dynamically adapts its security enforcement, delivering self-healing cloud infrastructure that remains protected against even the most sophisticated threats. 

Most Cloud-Native Application Protection Platform (CNAPP) solutions focus on visibility, requiring security teams to manually address large volumes of unresolved risks. Saner Cloud is designed to bridge this gap by not only identifying security issues but also automating their remediation in real-time and at scale.

By utilizing Infrastructure-as-Code remediation, automated patching, and security policy enforcement, Saner Cloud helps mitigate compliance drift, reduce misconfiguration risks, and minimize delays in threat response. The platform continuously enforces security across cloud and IT assets while embedding compliance measures directly into cloud operations, assisting organizations in maintaining ongoing adherence to regulatory frameworks.

The launch of Saner Cloud reflects a shift toward a prevention-first approach in cloud security, focusing on reducing risk exposure rather than solely identifying threats. As cyber threats evolve, organizations require security measures that are immediate, automated, and continuous, rather than relying on manual alert response.

Saner Cloud is now available for enterprises worldwide. For more information or to schedule a demo, users can visit www.secpod.com. 

**About SecPod** 

SecPod is a leading cybersecurity technology company committed to preventing cyberattacks through proactive security. Its mission is to secure computing infrastructure by enabling preventive security posture. 

At the core of SecPod’s offerings is the **Saner Platform –** a suite of solutions that help organizations establish a strong security posture to preempt cyber threats against endpoints, servers, networks, and cloud infrastructure, as well as cloud workloads. With its cutting-edge and comprehensive solutions, SecPod empowers organizations to stay ahead of evolving threats and build a resilient security framework. 

**Contact**

**Head – Marketing**  
**Supriya Bhaskar Rao**  
**SecPod Technologies**  
**\[email protected\]**

SecPod launches Saner Cloud: A Revolutionary CNAPP For Preventive Cybersecurity

New Immersive World LLM jailbreak lets anyone create malware with GenAI. Discover how Cato Networks researchers tricked ChatGPT, Copilot, and DeepSeek into coding infostealers - In this case, a Chrome infostealer.

Cato Networks, a Secure Access Service Edge (SASE) solution provider, has released its 2025 Cato CTRL Threat Report, revealing an important development. According to researchers, they have successfully designed a technique that allows individuals with no **prior coding experience** to create malware using readily available generative AI (GenAI) tools.

****LLM Jailbreak Created Functioning Chrome Infostealer via “Immersive World”****

The core of their research is a novel Large Language Model (LLM) jailbreak technique, dubbed “Immersive World,” developed by a Cato CTRL threat intelligence researcher. The technique involves creating a detailed fictional narrative where GenAI tools, including popular platforms like DeepSeek, Microsoft Copilot, and OpenAI’s ChatGPT, are assigned specific roles and tasks within a controlled environment.

By effectively bypassing the default security controls of these AI tools through this narrative manipulation, the researcher was able to force them into generating functional malware capable of stealing login credentials from **Google Chrome**.

> _“A Cato CTRL threat intelligence researcher with no prior malware coding experience successfully jailbreak multiple LLMs, including DeepSeek-R1, DeepSeek-V3, Microsoft Copilot, and OpenAI’s ChatGPT to create a fully functional Google Chrome infostealer for Chrome 133.”_
> 
> Cato Networks

This technique (Immersive World) indicates a critical flaw existing in the safeguards implemented by GenAI providers as it easily bypasses the intended restrictions designed to prevent misuse. As Vitaly Simonovich, a threat intelligence researcher at Cato Networks, **stated**, “We believe the rise of the zero-knowledge threat actor poses a high risk to organizations because the barrier to creating malware is now substantially lowered with GenAI tools.”

The report’s findings have prompted Cato Networks to reach out to the providers of the affected GenAI tools. While Microsoft and OpenAI acknowledged receipt of the information, DeepSeek remained unresponsive.

Screenshots show researchers interacting with DeepSeek, which ultimately generated a functional Chrome infostealer (Images via Cato Networks)

****Google Declined to Review Malware Code****

According to researchers, Google, despite being offered the opportunity to review the generated malware code, declined to do so. This lack of a unified response from major tech companies highlights the complexities surrounding the addressing of threats in advanced AI tools.

****LLMs and Jailbreaking****

Although LLMs are relatively new, jailbreaking has evolved alongside them. A report **published** in February 2024 revealed that DeepSeek-R1 LLM failed to prevent over half of the jailbreak attacks in a security analysis. Similarly, a **report** from SlashNext in September 2023 showed how researchers successfully jailbroke multiple AI chatbots to generate phishing emails.

****Protection****

The 2025 Cato CTRL Threat Report, the inaugural annual publication from Cato Networks’ threat intelligence team, emphasizes the critical need for proactive and comprehensive AI security strategies. These include preventing LLM jailbreaking by building a reliable dataset with expected prompts and responses and testing AI systems thoroughly.

Regular AI red teaming is also important, as it helps find vulnerabilities and other security issues. Additionally, clear disclaimers and terms of use should be in place to inform users they are interacting with an AI and define acceptable behaviours to prevent misuse.

Researchers Use AI Jailbreak on Top LLMs to Create Chrome Infostealer

Hackers are using .VHD files to spread VenomRAT malware, bypassing security software, reveals Forcepoint X-Labs. Learn how this stealthy attack works and how to protect yourself.

Cybersecurity researchers at Forcepoint X-Labs have spotted a new and tricky malware campaign that has been spreading and infecting targeted devices with VenomRAT, a remote access trojan known for targeting researchers in fake PoC (Proof of Concept) attacks

In this campaign, instead of the usually infected documents or executable files, cybercriminals are delivering the dangerous VenomRAT hidden inside a virtual hard disk image file (.vhd).

The campaign begins with a phishing email. This time, the bait is an apparently harmless purchase order. However, opening the attached archive doesn’t reveal a typical document. Instead, users find a .vhd file – a container that mimics a physical hard drive.

When a user opens the .vhd file, their computer treats it like a new drive. But this isn’t a drive full of legitimate files; it contains a malicious batch script designed to cause harm. Using a .vhd file to spread malware is a new trick. Since these files are commonly used for disk imaging and virtualization, security software doesn’t always flag them as a threat.

“This is a unique approach,” explains Prashant Kumar, a Security Researcher at Forcepoint X-Labs. “Attackers are constantly looking for ways to evade detection, and hiding malware within a virtual hard disk image is a good example of that.”

****The Attack and Stealing User Data****

According to research from Forcepoint X-Labs, shared with Hackread.com, the malware script is disguised with multiple layers of code and executes a series of malicious activities once activated. It starts by self-replicating, making sure a copy remains available at all times.

Then, it launches PowerShell, a legitimate Windows tool often exploited by attackers, and establishes persistence by placing a malicious script in the Startup folder, allowing it to run automatically whenever the user logs in. To dig in even more, the script modifies Windows registry settings, making it harder to detect and remove.

The malware also employs hidden communication by connecting to Pastebin, a popular text-sharing platform, to fetch instructions from a remote command-and-control (C2) server, which serves as the attacker’s command hub. Once established, the malware initiates data theft, logging keystrokes and storing sensitive information in a configuration file. It also downloads additional components, including a .NET executable, to assist in encryption and system manipulation.

Researchers noted that this VenomRAT variant uses HVNC (Hidden Virtual Network Computing), a remote control service that allows attackers to control the infected system without detection.

Phishing email and attack vector used in the campaign (Screenshots via Forcepoint X-Labs)

****What’s Next for Unsuspected Users?****

Be careful with email attachments, even if they seem legitimate; especially if they come from unknown senders. If you receive an unexpected invoice or purchase order, don’t trust the contact details in the email; verify it directly with the sender using a known phone number or email.

Keeping your operating system, antivirus, and security tools up to date is critical for blocking threats from executing on your system. Lastly, make sure your team knows how to spot and report phishing attempts. Awareness and common sense are two of the best cybersecurity measures anyone can use, anywhere and at all times.

Hackers Hide VenomRAT Malware Inside Virtual Hard Disk Image File

Austin, TX, United States, 19th March 2025, CyberNewsWire

**Austin, TX, United States, March 19th, 2025, CyberNewsWire**

The average corporate user now has 146 stolen records linked to their identity, an average 12x increase from previous estimates, reflecting a surge in holistic identity exposures.

SpyCloud, the leading identity threat protection company, today released its **2025 SpyCloud Annual Identity Exposure Report**, highlighting the rise of darknet-exposed identity data as the primary cyber risk facing enterprises today. As cybercriminals move beyond single data points and leverage stolen data from a number of sources – breaches, malware and phishes – they are embracing a more sophisticated approach to identity exploitation, and organizations must shift their focus to a comprehensive and holistic defense strategy that accounts for the interconnected nature of digital identities.

**Holistic Identity: The New Cyber Battleground**

Organizations have traditionally focused on securing individual account credentials, but SpyCloud’s research indicates that cybercriminals have expanded their tactics beyond conventional account takeover. Attackers now have access to extensive identity data from multiple sources—including data breaches, infostealer malware infections, phishing campaigns, and combolists—posing a challenge for organizations whose security measures have not yet adapted to address the full scope of interconnected identity exposures holistically.

SpyCloud’s collection of recaptured darknet data grew **22% in the past year**, now encompassing more than **53.3 billion distinct identity records and over 750+ billion total stolen assets** that are now circulating in the criminal underground, fueling identity-based cybercrime. These assets are a vast array of personal and professional credentials, session cookies, personally identifiable information (PII), financial data, IP addresses, national IDs and more that criminals are weaponizing in attacks against individuals and businesses. 

> “The cybersecurity industry has spent years defending against traditional credential-based threats, but the reality is that attackers have advanced as the data they have access to has exploded in volume,” said Damon Fleury, Chief Product Officer, SpyCloud. “Identity is the ultimate frontier of cyber risk, with users’ exposure across past and present, personal and professional identities the new attack surface. It requires organizations to rethink the risks posed by employees, consumers, partners and suppliers.”

> Fleury continues, “At SpyCloud, we’ve created holistic identity analytics built on the industry’s largest collection of recaptured darknet data, enabling our customers to correlate disparate data points that encompass an individual’s digital footprint—providing a truly holistic view of identity risk.”

**New Definition for Identity Risk Emerges**

With the explosion of available identity data, attackers can now piece together historical and present-day records to bypass security barriers. Traditionally, cybersecurity teams were only able to see a fraction of an individual’s darknet exposures – primarily only the exposed assets tied to a corporate identity – which were not comprehensive nor in correlation with other exposures. SpyCloud’s report shows that an individual’s identity exposure is more expansive than traditional cyber risk tools would indicate; in fact, it’s a sprawling web of interrelated assets that provide cybercriminals with a roadmap to exploit vulnerabilities and the keys to unlock valuable access.

*   Of particular concern for businesses, a single corporate user now has an **average of 146 stolen records** linked to their identity – across **13 unique emails and 141 credential pairs** (a username or email and its associated password) per corporate user, which highlights how attackers correlate historical data to uncover active enterprise access points.
*   In the consumer realm, the numbers are even higher with **229 records per consumer**, frequently including exposed PII such as full names, dates of birth, and phone numbers, as well as Social Security/ID numbers, addresses, and credit card or bank information. Consumer exposure averages **27 unique emails and 227 credential pairs per user.**

> “The record-breaking breaches of 2024, including the Mother of All Breaches (MOAB) and the National Public Data Breach, along with the growing use of infostealing malware and crafty phishing campaigns illustrate just how vast the pool of exposed identity data has become,” said Trevor Hilligoss, Senior Vice President of Security Research, SpyCloud Labs at SpyCloud. “By understanding how cybercriminals aggregate stolen data and the new tactics and trends they are leveraging to assume even more valuable information and access, organizations can take proactive steps to mitigate identity-based threats from these large underground sources before they escalate.” 

**Additional Report Findings:**

*   **17.3 billion cookies** were recaptured from malware-infected devices, enabling attackers to bypass MFA and hijack active user sessions.
*   **548 million credentials** were exfiltrated via infostealer malware, highlighting the growing role of stealthy, targeted data theft in enterprise attacks.
*   **3.1 billion passwords** were recaptured in 2024, marking a **125% increase from the previous year**.
*   **70% of users** whose credentials were exposed in breaches last year reused previously compromised passwords, significantly increasing their risk of account takeover attacks **–** a 9+ jump from 2023.
*   **44.8 billion PII assets – a 39% increase from 2023** are opening the door for new fraudulent activities.
*   **97%** of recaptured phished data logs in 2024, from popular phishing-as-a-service (PHaaS) platforms like ONNX, included an email address and **64%** had an associated IP address, giving criminals direct opportunities to perpetrate as the user and make lateral movements within an organization.
*   In the public sector, SpyCloud recaptured **127K .gov credentials** and observed **a 67% all-time password reuse rate** – an increase of 13% over the previous year – highlighting persistent security risks for our federal agencies and national security.

**Evolving Cybersecurity Strategies**

The findings highlight that cybercriminals are moving well-beyond their own legacy tactics and businesses must recognize that traditional defenses are no longer enough. SpyCloud’s approach leverages **holistic identity analytics**, powered by the industry’s largest collection of recaptured darknet data, to help organizations correlate disparate identity elements and shore up identity threat protection measures, while mitigating risk more effectively.

For further insights, the full **2025 SpyCloud Identity Exposure Report** is available here.

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud’s 2025 Identity Exposure Report Reveals the Scale and Hidden Risks of Digital Identity Threats

Top 10 Passwords hackers use to breach RDP revealed! Weak credentials cause successful cyberattacks- check if yours is on the list and secure your system now.

A recent study by the Specops research team reveals that hackers continue to exploit weak passwords in attacks on Remote Desktop Protocol (RDP) ports. This report also adds over 85 million compromised passwords to Specops’ Breached Password Protection service, sourced from their honeypot network and threat intelligence.

****What is RDP and Why Attack RDP Ports?****

RDP is a Microsoft-developed protocol that allows users to connect to and control another computer over a network remotely. RDP ports are network ports used by the Remote Desktop Protocol to establish a connection between a client and a remote server or computer. By default, RDP uses port 3389 (TCP/UDP) for communication.

RDP ports are a common target for hackers because they’re widely used for remote access in businesses. Whether it’s for remote work, system maintenance, or troubleshooting, these ports provide an easy entry point, making them a favourite for brute force and password-spraying attacks. It’s not uncommon to see countless failed login attempts from hackers trying to breach.

****Key Findings from the Research****

According to Specops’ research shared with Hackread.com ahead of publishing on Tuesday, March 18, 2025, here’s what they discovered:

**Common Passwords in Use:** The analysis determined that the most frequently attempted password was “123456,” followed by other basic choices such as “1234,” “Password1,” and even “P@ssw0rd.” A notable observation is the recurring use of “Welcome1,” pointing to the danger of temporary passwords assigned during employee onboarding that might never be updated.

**Simple Number Combinations Dominate:** Nearly 25% of the passwords used in these attacks consist solely of numbers. The study highlights that a notable portion of attempts, almost half, rely on either numbers or all lower-case letters.

**Password Length and Complexity:** Eight-character passwords are the most common, likely because many organizations set that length as the minimum requirement. Only about 1.35% of the attacked passwords exceeded 12 characters, indicating that longer passphrases could block nearly all of the attack attempts.

**Expanded Breached Password List:** Alongside these insights, Specops has added more than 85 million compromised passwords to its Breached Password Protection service. These figures come from data gathered through honeypot networks and threat intelligence sources, offering fresh insight into what hackers target.

****Top 10 Passwords in RDP Attacks****

The research team analyzed NTLMv2 hashes from their honeypot system, focusing on RDP-specific attacks. They managed to crack around 40% of these hashes, revealing the top ten passwords used in these attacks:

*   **123456** – 355,088 occurrences
*   **1234** – 309,812 occurrences
*   **Password1** – 271,381 occurrences
*   **12345** – 259,222 occurrences
*   **P@ssw0rd** – 254,065 occurrences
*   **password** – 138,761 occurrences
*   **Password123** – 121,998 occurrences
*   **Welcome1** – 113,820 occurrences
*   **12345678** – 86,682 occurrences
*   **Aa123456** – 69,058 occurrences

****How to Protect Your RDP Ports****

To protect your RDP ports from attacks, start by enabling Multi-Factor Authentication (MFA) so that even if a password is stolen, unauthorized access is blocked. Keeping your Windows servers and clients updated is crucial to patch security vulnerabilities that hackers exploit.

Additionally, ensure TCP port 3389 is secured with SSL encryption and not directly exposed to the internet. Another important step is to restrict RDP access to a specific range of trusted IP addresses, preventing unauthorized users from attempting to connect.

****Simple Password = Security Disaster****

The Specops report makes it clear that relying on simple passwords is a risk organizations can no longer afford. By switching to longer and more complex passwords companies can greatly reduce the impact of today’s RDP attacks.

Top/Featured Image by kalhh from Pixabay

Top 10 Passwords Hackers Use to Breach RDP – Is Yours at Risk?

Sydney, Australia, 19th March 2025, CyberNewsWire

**Sydney, Australia, March 19th, 2025, CyberNewsWire**

Sydney-based cybersecurity software company Knocknoc has raised a seed round from US-based venture capital firm Decibel Partners with support from CoAct and SomethingReal.

The funding will support go-to-market, new staff, customer onboarding and product development. The company has appointed Adam Pointon as Chief Executive Officer.

“The opportunity here is limitless,” Pointon said. “You’d be hard pressed to find an organisation that couldn’t benefit in some way from using Knocknoc.”

Knocknoc orchestrates network infrastructure to remove risk exposure by tying users’ network access to their SSO authentication status.

By selectively opening network connections to users on a just-in-time basis, Knocknoc eliminates attack surface and solves compliance challenges. Knocknoc prevents would-be attackers from being able to connect to the types of network devices and applications that are prone to falling victim to zero-day attacks.

Customers use Knocknoc to protect VPNs and firewalls, IP cameras, payroll systems, file transfer appliances, bastion hosts and other applications and network services. Knocknoc is also easy to use with cloud-based infrastructure.

It can also be used on internal networks to add multifactor authentication to legacy systems to satisfy compliance requirements.

Knocknoc has also appointed Decibel Partners Founder Advisor and Risky Business Media CEO Patrick Gray to its board of directors.

“Knocknoc is a terrific way for organisations to quickly and easily reduce their exposure to the types of attacks that are plaguing enterprises right now,” said Gray. “It’s simple, quick to implement and delivers an immediate benefit.”

Knocknoc is already in use in Australian and US critical infrastructure, large telecommunications networks and media companies.

The Knocknoc founders are Andrew Foster, David Kempe and Adam Pointon.

More information at https://knocknoc.io

**Contact**

**Cofounder & CEO**  
**Adam pointon**  
**Knocknoc.io**  
**\[email protected\]**

Knocknoc Raises Seed Funding to Scale Its Just-In-Time Network Access Control Technology

$32B Wiz acquisition: Google ramps up cloud security. Following Mandiant, this deal signals major GCP defense upgrade.

Google’s parent company, **Alphabet**, has announced its acquisition of Wiz, a leading cloud and cybersecurity platform for $32 billion. This acquisition, Google’s largest to date, signals the company’s enhancement of the security capabilities of Google Cloud Platform (GCP).

Wiz, founded in 2020, has quickly risen to prominence with its cloud-native application protection platform (CNAPP). Its technology allows organizations to gain visibility into their cloud environments, identifying vulnerabilities, misconfigurations, and security risks across multi-cloud deployments.

The massive $32 billion deal, far bigger than any previous acquisition, shows just how crucial cloud security is to Google’s long-term strategy. This move also stresses the intense competition within the cloud computing sector, where Google is fighting for market share against industry giants like Amazon Web Services (AWS) and Microsoft Azure.

_“_Wiz and Google Cloud share a vision to improve security by making it easier and faster for organizations of all types and sizes to protect themselves, end-to-end, across all major clouds,_“_ **stated** Google _“_Google Cloud is a leader in cloud infrastructure, with deep AI expertise and a track record of industry-leading security innovation. Bringing this to Wiz will help make their solutions even better and more scalable, helping protect more organizations faster._“_

This acquisition builds upon Google’s prior investments in cybersecurity. Notably, **in 2022, Google acquired Mandiant**, a leading cybersecurity incident response and threat intelligence firm, for $5.4 billion. The Mandiant acquisition strengthened Google’s ability to detect and respond to sophisticated cyberattacks, providing valuable threat intelligence to its customers. The addition of Wiz’s cloud security management capabilities further expands Google’s security lineup.

This acquisition also marks a big move in the cloud security market, but it’s likely to draw attention from regulators. Antitrust authorities will be looking at how it might affect competition and innovation in the industry. However, industry analysts suggest that the integration of Wiz into GCP will offer notable benefits to Google Cloud customers.

**Rom Carmel**, Co-Founder and CEO at Apono, a New York-based provider of privileged access for cloud solutions commented on the latest development stating, _“_Google’s acquisition of Wiz underscores the growing importance of cloud security in the AI-driven era. By bringing Wiz into Google Cloud’s portfolio alongside Mandiant and Siemplify, Google is reinforcing its commitment to helping enterprises secure their cloud environments; regardless of the provider._“_

**Dave Gerry**, CEO at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity commented, “With upwards of more than 6,000 cyber vendors in the market, customers are looking to consolidate their security spend to vendors they trust. While many hoped that 2025 would be the Year of the IPO, this deal may be a bellwether signalling other large-scale M&A activity_.”_

The acquisition of Wiz is expected to close in the coming months, subject to regulatory approvals. Once finalized, the integration of Wiz’s technologies into Google Cloud will begin, promising a new level of enhanced cloud security for Google Cloud customers.

Source

HackRead