web analytics

Privacy Roundup: Week 3 of Year 2025 – Source: securityboulevard.com

privacy-roundup:-week-3-of-year-2025-–-source:-securityboulevard.com
Rate this post

Source: securityboulevard.com – Author: Avoid The Hack!

This is a news item roundup of privacy or privacy-related news items for 12 JAN 2025 – 18 JAN 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional “security” content mixed-in here due to the close relationship between online privacy and cybersecurity – many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user’s devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Techstrong Gang Youtube

AWS Hub

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or “popular” stories.

close up view of a camera lens
This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

May also include threat actors abusing legitimate technology – which of itself may be irrespective of user privacy in general – to gather information or otherwise target users.

How cars became the worst product category for privacy

Session

Covers the extensive data collection (and subsequent sharing with car manufacturers and their affiliates) enabled by modern vehicles; they can collect way beyond location data.

Inside the Black Box of Predictive Travel Surveillance

Wired

Covers the use of powerful surveillance technology in predicting who might be a “threat.”

FTC Surveillance Pricing Study Indicates Wide Range of Personal Data Used to Set Individualized Consumer Prices

Federal Trade Commission

FTC launched a “surveillance pricing market study” which concluded that specific captured details and data is used to target consumers with different prices for the same goods and services.

They regularly use people’s personal information to set tailored prices. This personal information can range from demographics, mouse movements on a web page, and a person’s location.

The study is still ongoing.

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes major updates to recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

fingerprint scan on blue background

Bitwarden releases native Android app

AlternativeTo

Bitwarden has made its native Android app “generally available” for download on the Google Play Store.

data and storage concept orange and yellow tiles

Introducing Labels: A new era of email organization at Tuta Mail

Tuta

Tuta introduces “labels,” an organization feature long requested by its users.

Brave Search now offers real-time blockchain data results with unmatched privacy

Brave

Brave adds privacy-preserving querying for real-time blockchain data results to its Brave Search service.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

padlock with bullet hole on circuit board

Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)

Tenable

First Patch Tuesday of 2025 from Microsoft. Three CVEs exploited in the wild and five publicly disclosed (but not expressly observed being exploited in the wild).

CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP) and were exploited in the wild as zero-days. These probably don’t affect most users reading this.

CVE-2025-21308. This is probably a CVE most users should tune into. It is a spoofing vulnerability that affects Themes in Windows. Successful exploitation requires social engineering users into manipulating a specially crafted file. Publicly disclosed, not observed exploited in the wild at time of publication of this post.

Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344

welivesecurity (ESET)

CVE-2024-7344. A UEFI signed by a Microsoft certificate could bypass Secure Boot. This could result in the executing of code during system boot, defeating the purpose of Secure Boot – which could include loading near undetectable malware such as rootkits.

While there is a list of vulnerable software products, threat actors could use their own copy of the vulnerable reloader.efi binary to any system with the affected Microsoft certificate installed.

Microsoft revoked the certificates with the January 2025 Patch Tuesday updates.

red virus detection on dark background

Browser-Based Cyber-Threats Surge as Email Malware Declines

Infosecurity Magazine

According to research from the 2024 Threat Data Trends report by the eSentire Threat Response Unit, browser threats (such as drive-by downloads and malvertising) increased; these techniques are in turn used to deliver malware such as information stealers. Approximately 70% of observed malware cases in 2024 derived from browser-based malware.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

darkreading

According to researchers from Trend Micro, threat actors have been uploading video guides for installing cracked software to YouTube. These video guides function as the initial lure; they then share links to fake downloaders for the cracked software, which actually drop information stealers onto the device.

This campaign exploits the inherent trust users have when visiting extremely popular and reputable sites that host/share primarily user-generated content – such as YouTube, GitHub, and Reddit. Similar campaigns on these sites have been observed in recent years.

DOJ confirms FBI operation that mass-deleted Chinese malware from thousands of US computers

TechCrunch

The PlugX malware, used by PRC-linked APT dubbed “Twill Typhoon” or “Mustang Panda,” had infected millions of computers since at least 2014. The FBI, in connection with French authorities, removed the malware from approximately 4,200 infected hosts in the US (3,000 in France).

Hackers Use Image-Based Malware and GenAI to Evade Email Security

Infosecurity Magazine

Malicious code embedded in image files; when the images are downloaded from well-known websites, they may bypass email security controls. A particular campaign abusing this has been dropping information stealers and keyloggers; specifically the campaign attempts to drop 0bj3ctivityStealer and VIP Keylogger.

Additionally, threat actors have been using HTML smuggling to deliver XWorm malware. The XWorm malware family is typically used as a remote access trojan (RAT) or information stealer.

Phishing and Scams

Covers popular phishing schemes affecting end users – smishing, vishing, and any new scam/phish…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/privacy-week3-2025

Original Post URL: https://securityboulevard.com/2025/01/privacy-roundup-week-3-of-year-2025/

Category & Tags: Security Bloggers Network – Security Bloggers Network

Views: 6

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos