US Army Officer Guilty of Selling Data

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, a U.S. Army soldier pleaded guilty to selling telecom data, an AI video displayed in a government building mocked U.S. President Donald Trump and Elon Musk, a Saudi firm hit by ransomware, a new North Korean job lure scam, hackers targeted Ukrainian notaries, the U.S. Cybersecurity and Infrastructure Security Agency flagged two flaws, a botnet exploited Microsoft 365 to launch password attacks, and more than 2,000 Ivanti VPNs are unpatched.

See Also: Top 10 Technical Predictions for 2025

U.S. Army communications specialist Cameron John Wagenius, 20, pleaded guilty to unlawfully selling and leaking customer call records stolen from AT&T and Verizon.

Federal authorities arrested Wagenius in December 2024 at Fort Cavazos, Texas. Wagenius operated online as “Kiberphant0m” and was part of a hacking group that extorted companies over stolen data.

Authorities said the group exploited weak security in cloud-based data warehousing platform Snowflake accounts, targeting major corporations. AT&T, one of the hardest-hit victims, reportedly paid $370,000 to prevent further leaks. Wagenius allegedly demanded $500,000 from the company, threatening to release stolen data.

Prosecutors said that before his arrest, Wagenius searched for ways to defect to non-extradition countries. He also reportedly attempted to sell stolen data to a foreign intelligence agency and possessed more than 17,000 identity documents, including passports and driver’s licenses.

During a Feb. 19 hearing, prosecutors argued he is a flight risk and should not be released pending sentencing. The Army is in the process of discharging him.

An apparent insider hack, an AI-generated video of Donald Trump sucking on Elon Musk’s feet, captioned “Long live the real king,” unexpectedly played on loop across U.S. Department of Housing and Urban Development headquarters in Washington, D.C. Staff scrambled to shut it off, eventually unplugging TVs floor by floor.

The bizarre incident follows Trump’s recent “Long live the king” post on Truth Social. The White House responded featuring an AI image of Trump in a crown. The video appeared on the first day that all HUD workers were expected to return to office full time to comply with White House orders ending remote work.

Hackers wielding DragonForce ransomware attacked Al Bawani, a major real estate and construction company in Riyadh, Saudi Arabia. The firm, involved in energy, oil and gas, government and defense projects, suffered a data breach exceeding six terabytes, according to cybersecurity firm Resecurity.

The ransomware gang began extortion attempts on Feb. 14, setting a payment deadline for Feb. 28, which Al Bawani ignored, leading to the public release of sensitive corporate documents.

Cybersecurity firm Eset uncovered another North Korean job lure campaign, dubbed DeceptiveDevelopment, that targets freelance software developers and tricks them into installing malware.

Fake recruitment has become a staple of North Korean social engineering, whether to spy on developers’ computers or to steal any cryptocurrency that might reside there.

The operation targets developers on platforms like Upwork, Freelancer.com and Crypto Jobs List and has been active since 2023. Hackers pose as recruiters, sharing Trojanized codebases on GitHub or tricking victims into installing malware-laced video conferencing software. The malware families BeaverTail and InvisibleFerret steal credentials, cryptocurrency wallets and sensitive data.

The campaign targets developers in the U.S., India, Finland and several other countries, with hackers seeking to maximize financial gain.

Ukrainian state cybersecurity agency CERT-UA warned of a campaign targeting notaries to infiltrate government registries. The attackers, tracked by CERT-UA as UAC-0173, have been distributing phishing emails since mid-January, impersonating regional offices of the Ministry of Justice to gain remote access to victims’ computers.

Once inside, the hackers deploy DarkCrystal, a commercial Russian backdoor capable of data theft, surveillance and remote code execution. The malware, sold cheaply on Russian underground forums, allows attackers to bypass security measures, steal credentials and even use compromised devices to send further phishing emails. CERT-UA identified affected computers in six Ukrainian regions, stopping unauthorized modifications to state records in some cases.

CERT-UA said that UAC-0173 operates as a hack-for-hire cyber group.

The U.S. Cybersecurity and Infrastructure Security Agency added two security vulnerabilities affecting Microsoft Partner Center and Synacor Zimbra Collaboration Suite to its Known Exploited Vulnerabilities catalog.

The flaws include an improper access control bug in Microsoft Partner Center that enables privilege escalation, CVE-2024-49035 with CVSS 8.7, patched in November 2024, and CVE-2023-34192 with CVSS 9.0, an XSS vulnerability in Zimbra ZCS that allows remote code execution, fixed in July 2023.

Federal agencies must apply patches by March 18 to mitigate risks. While Microsoft previously acknowledged CVE-2024-49035 has been exploited, it has not disclosed details.

Cybersecurity researchers identified more than 2,850 Ivanti Connect Secure VPN devices worldwide still unpatched, leaving organizations vulnerable to remote code execution through CVE-2025-22467.

According to Shadowserver Foundation, 852 devices in the United States and 384 in Japan are vulnerable. The flaw, stemming from improper input validation, allows attackers to infiltrate networks, steal data and deploy ransomware. Ivanti released a patch in February.

A botnet of more than 130,000 compromised devices is conducting a large-scale password-spraying attack on Microsoft 365 accounts by exploiting non-interactive sign-ins, found researchers at Security Scorecard.

Unlike traditional password attacks that trigger security alerts, this method allows attackers to bypass detection by exploiting non-interactive logins, which are used by service accounts and automated processes that don’t require direct user input.

The attacks have been observed across multiple M365 tenants worldwide, with researchers urging organizations to check non-interactive sign-in logs and rotate credentials immediately.

Researchers suspect a Chinese-linked group, though the attribution is not certain.

Other Stories from Last Week

With reporting from Information Security Media Group’s Akshaya Asokan in the South of England.