Svoboda Cybersecurity Brief April 23, 2025
Apr 23, 2025Cloak Cyberattack Compromises Baltimore City Public Schools Data
A cyberattack by Cloak on Baltimore City Public Schools exposed sensitive personal data of thousands of students and staff, including Social Security numbers, driver’s license numbers, passport information, and addresses. The intrusion was detected on February 13, 2025.
Source: DataBreaches
Active! Mail Zero-Day Exploited in Japanese Organizations
A critical stack-based buffer overflow (CVE-2025-42599, CVSS 9.8) in Active! Mail was actively exploited, enabling arbitrary code execution or DoS. The flaw affected versions up to BuildInfo: 6.60.05008561, forcing Kagoya Japan and WADAX to suspend services.
Impact: Attackers targeted large Japanese organizations.
Mitigation: Update to Active! Mail 6 BuildInfo: 6.60.06008562 or configure WAF to block oversized multipart/form-data headers.
Source: BleepingComputer
Docker Cryptojacking Campaign Exploits Teneo Web3 Nodes
A cryptojacking campaign abused Docker environments by deploying “kazutod/tene:ten” from Docker Hub, which spoofed Teneo Points via fake heartbeat signals. Attackers bypassed detection by fragmenting malware reassembly in-browser.
Impact: Unauthorized crypto-mining via compromised containers.
Mitigation: Monitor Docker Hub pulls; restrict unauthorized container deployments.
Source: The Hacker News
SK Telecom USIM Data Exposed in Malware Attack
South Korea’s largest mobile operator, SK Telecom, suffered a malware breach on April 19, 2025, exposing USIM data (IMSI, MSISDN, authentication keys). Attackers potentially gained access for SIM-swap attacks.
Impact: 34 million subscribers at risk of surveillance or SIM fraud.
Mitigation: Enable USIM protection service; monitor abnormal authentication.
Source: BleepingComputer
Ripple’s xrpl.js Library Hacked to Steal XRP Wallets
Versions 2.14.2, 4.2.1-4.2.4 of Ripple’s xrpl.js NPM library were compromised with a backdoor checkValidityOfSeed() function, exfiltrating wallet seeds/keys to https://0x9c[.]xyz/xcm.
Impact: 452 downloads reported; funds at risk.
Mitigation: Upgrade to v4.2.5; rotate compromised keys.
Source: BleepingComputer
Google Sites Abused for Phishing with DKIM Replay Attacks
Phishers exploited Google Sites to host fake Google Support pages, sending signed emails via DKIM replay from no-reply@google.com. Attackers leveraged OAuth app names to spoof security alerts.
Impact: Credential theft bypassing email filters.
Mitigation: Disable legacy Google Sites; enforce phishing-resistant MFA.
Source: The Hacker News
Lotus Panda Targets SE Asia with Custom Malware
China-linked Lotus Panda deployed Sagerunex backdoor, ChromeKatz/CredentialKatz stealers, and reverse SSH tools against governments, telecoms, and airlines in Southeast Asia (August 2024–February 2025).
Impact: High-value data exfiltration via sideloaded DLLs (e.g., tmdbglog.exe).
Mitigation: Monitor for atypical binary behavior; restrict PowerShell usage.
Source: The Hacker News
Florida Bar Urges Law Firms to Adopt Incident Response Plans
Following cyber threats, the Florida Bar mandated written incident response plans (IRPs) for law firms to counter data breaches. Emphasized proactive measures over reactive responses.
Source: DataBreaches
Abilene, Texas, Disconnects Systems After Cyberattack
The city of Abilene took systems offline on April 18, 2025, to contain an intrusion. Emergency services remained operational, but delays affected online payments.
Source: SecurityWeek
SSL.com Misissues Certificates Due to DCV Flaw
A domain validation bug led to fraudulent certificates for aliyun.com, medinet.ca, and others. Attackers abused Email to DNS TXT Contact validation.
Impact: 11 certificates wrongly issued.
Mitigation: Revoke affected certs; disable vulnerable DCV method.
Source: SecurityWeek
Share this brief: https://svo.bz/36ld