We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

URL has been copied successfully!
Privacy Roundup: Week 3 of Year 2025
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

Privacy Roundup: Week 3 of Year 2025

by

Andy Stern
in

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

This is a news item roundup of privacy or privacy-related news items for 12 JAN 2025 – 18 JAN 2025. Information and summaries provided here are as-is for warranty purposes. Note: You may see some traditional “security” content mixed-in here due to the close relationship between online privacy and cybersecurity – many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user’s devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed. Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or “popular” stories.

Surveillance Tech in the News

close up view of a camera lens
This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy. May also include threat actors abusing legitimate technology – which of itself may be irrespective of user privacy in general – to gather information or otherwise target users. How cars became the worst product category for privacy Session Covers the extensive data collection (and subsequent sharing with car manufacturers and their affiliates) enabled by modern vehicles; they can collect way beyond location data. Inside the Black Box of Predictive Travel Surveillance Wired Covers the use of powerful surveillance technology in predicting who might be a “threat.” FTC Surveillance Pricing Study Indicates Wide Range of Personal Data Used to Set Individualized Consumer Prices Federal Trade Commission FTC launched a “surveillance pricing market study” which concluded that specific captured details and data is used to target consumers with different prices for the same goods and services. They regularly use people’s personal information to set tailored prices. This personal information can range from demographics, mouse movements on a web page, and a person’s location. The study is still ongoing.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes major updates to recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Tools

fingerprint scan on blue background Bitwarden releases native Android app AlternativeTo Bitwarden has made its native Android app “generally available” for download on the Google Play Store.

Privacy Services

data and storage concept orange and yellow tiles Introducing Labels: A new era of email organization at Tuta Mail Tuta Tuta introduces “labels,” an organization feature long requested by its users. Brave Search now offers real-time blockchain data results with unmatched privacy Brave Brave adds privacy-preserving querying for real-time blockchain data results to its Brave Search service.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user. This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

padlock with bullet hole on circuit board Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) Tenable First Patch Tuesday of 2025 from Microsoft. Three CVEs exploited in the wild and five publicly disclosed (but not expressly observed being exploited in the wild). CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP) and were exploited in the wild as zero-days. These probably don’t affect most users reading this. CVE-2025-21308. This is probably a CVE most users should tune into. It is a spoofing vulnerability that affects Themes in Windows. Successful exploitation requires social engineering users into manipulating a specially crafted file. Publicly disclosed, not observed exploited in the wild at time of publication of this post. Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344 welivesecurity (ESET) CVE-2024-7344. A UEFI signed by a Microsoft certificate could bypass Secure Boot. This could result in the executing of code during system boot, defeating the purpose of Secure Boot – which could include loading near undetectable malware such as rootkits. While there is a list of vulnerable software products, threat actors could use their own copy of the vulnerable reloader.efi binary to any system with the affected Microsoft certificate installed. Microsoft revoked the certificates with the January 2025 Patch Tuesday updates.

Malware

red virus detection on dark background Browser-Based Cyber-Threats Surge as Email Malware Declines Infosecurity Magazine According to research from the 2024 Threat Data Trends report by the eSentire Threat Response Unit, browser threats (such as drive-by downloads and malvertising) increased; these techniques are in turn used to deliver malware such as information stealers. Approximately 70% of observed malware cases in 2024 derived from browser-based malware. Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results darkreading According to researchers from Trend Micro, threat actors have been uploading video guides for installing cracked software to YouTube. These video guides function as the initial lure; they then share links to fake downloaders for the cracked software, which actually drop information stealers onto the device. This campaign exploits the inherent trust users have when visiting extremely popular and reputable sites that host/share primarily user-generated content – such as YouTube, GitHub, and Reddit. Similar campaigns on these sites have been observed in recent years. DOJ confirms FBI operation that mass-deleted Chinese malware from thousands of US computers TechCrunch The PlugX malware, used by PRC-linked APT dubbed “Twill Typhoon” or “Mustang Panda,” had infected millions of computers since at least 2014. The FBI, in connection with French authorities, removed the malware from approximately 4,200 infected hosts in the US (3,000 in France). Hackers Use Image-Based Malware and GenAI to Evade Email Security Infosecurity Magazine Malicious code embedded in image files; when the images are downloaded from well-known websites, they may bypass email security controls. A particular campaign abusing this has been dropping information stealers and keyloggers; specifically the campaign attempts to drop 0bj3ctivityStealer and VIP Keylogger. Additionally, threat actors have been using HTML smuggling to deliver XWorm malware. The XWorm malware family is typically used as a remote access trojan (RAT) or information stealer.

Phishing and Scams

Covers popular phishing schemes affecting end users – smishing, vishing, and any new scam/phish…

First seen on securityboulevard.com

Jump to article: securityboulevard.com/2025/01/privacy-roundup-week-3-of-year-2025/

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link

also interesting:

  1. 7 biggest cybersecurity stories of 2024
  2. The 2024 cyberwar playbook: Tricks used by nation-state actors
  3. Privacy Roundup: Week 1 of Year 2025
  4. 8 biggest cybersecurity threats manufacturers face