Weekly Cybersecurity Recap - 14 April 2025

Introduction

Cyber threats this week took a darkly creative turn — from fake app store pages delivering mobile spyware to AI platforms unintentionally enabling live phishing sites. We also dive into escalating ransomware strategies targeting domain controllers, vulnerabilities in widely used plugins, and the mounting third-party risks driving financial fraud. In this week's recap, we break down the most notable incidents shaping the security landscape.

Malware & Threat Campaigns

SpyNote, BadBazaar, MOONSHINE Malware Target Android and iOS Users via Fake Apps

Researchers have discovered a coordinated campaign using newly registered domains to host malicious websites impersonating the Google Play Store. These fake pages prompt users to download malware-laced apps like Chrome, ultimately delivering variants such as SpyNote. This is part of a broader trend of mobile-targeted phishing, affecting both Android and iOS users, and exploiting user trust in familiar branding.

Lovable AI Found Most Vulnerable to VibeScamming — Enabling Anyone to Build Live Scam Pages

Lovable, an AI-powered full-stack app builder, has emerged as a surprisingly potent tool for cybercriminals. Security researchers found it susceptible to jailbreak attacks, allowing bad actors to create pixel-perfect credential phishing pages with hosting, evasion, and admin dashboards included. This new tactic, dubbed "VibeScamming," highlights how generative AI tools — meant for productivity — can easily be turned toward malicious ends.

Breaches & Data Leaks

Hackers Breach Morocco’s Social Security Database

Hackers have stolen and leaked sensitive data from Morocco’s social security agency, affecting millions of private sector workers. The attack, claimed to be politically motivated in response to tensions with Algeria, was accompanied by threats of continued campaigns. While the agency claims some of the leaked data is misleading or incomplete, the breach underscores growing threats to national systems and sensitive citizen data.

Vulnerabilities & Exploits

Vulnerability in OttoKit WordPress Plugin Exploited in the Wild

A high-severity authentication bypass (CVE-2025-3102) in the OttoKit WordPress plugin is being actively exploited. With over 100,000 installations, this vulnerability allows attackers to create new admin accounts without authorization. OttoKit (formerly SureTriggers) is a workflow automation tool, and its widespread use across businesses makes it a high-value target for web-based exploitation.

10 Bugs Found in Perplexity AI's Chatbot Android App

Security researchers found 10 vulnerabilities in Perplexity AI’s Android app — double the number discovered in rival chatbot platforms like DeepSeek. Perplexity, launched shortly after ChatGPT, gained traction for its citation-rich answers. However, its rapid development appears to have outpaced secure coding practices, with researchers warning that the bugs could allow data leaks or unintended access.

Security Insights

Why Data Privacy Isn't the Same as Data Security

Many organizations conflate privacy with security, but the distinction matters. Data privacy is about control and ethical use of personal information, while data security focuses on protection against unauthorized access. Treating these as the same can result in compliance gaps, fines, and loss of consumer trust—especially in an era where regulatory scrutiny is intensifying.

Financial Fraud, With a Third-Party Twist, Dominates Cyber Claims

While ransomware remains the most expensive attack type, financial fraud tops the charts in frequency, especially when third-party vendors are involved. At-Bay's latest report reveals a rise in phishing-led fraud and emphasizes how weak supply chain defenses are now the biggest driver of cyber insurance claims. Interestingly, while the volume of incidents is up, average losses are slightly down, suggesting insurers are adapting.

Attack Vectors & Tactics

Ransomware Hackers Target Active Directory Domain Controllers

Microsoft warns that nearly 80% of human-operated cyberattacks now involve Active Directory domain controllers. Once breached, these central identity servers allow attackers to elevate privileges, extract password hashes, and spread ransomware across a network rapidly. These attacks emphasize the need for stronger identity governance and segmentation in enterprise environments.

Remote access tools most frequently targeted as ransomware entry points

According to At-Bay, VPNs and other remote access tools were the most common entry point for ransomware in 2024. With supply chain risk increasing, attackers are leveraging third-party vulnerabilities and lax access controls to gain initial entry. This highlights the urgent need for tighter vendor oversight and zero trust principles.