svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief July 24, 2025

Jul 24, 2025

bulletproof VPN - stay anonymous

Major Russian Cybercrime Forum Admin Arrested in Ukraine

Ukrainian authorities, with Europol and French police, arrested the suspected administrator of XSS.is, a major Russian-speaking cybercrime forum with 50K+ users. The forum facilitated malware sales, stolen data trading, and ransomware services, generating $7M in profits.
Source: DataBreaches

Chinese Hackers Exploit SharePoint Zero-Days in US Nuclear Agency Breach

APT29-linked groups exploited CVE-2025-49704 and CVE-2025-49706 (ToolShell chain) to breach the National Nuclear Security Administration (NNSA). Attackers deployed web shells and stole MachineKey data, but no classified data was compromised.
Impact: Unauthorized access to sensitive systems.
Mitigation: Patch SharePoint Server urgently; enable AMSI (though bypasses exist).
Source: BleepingComputer

Clorox Sues Cognizant for $380M Over Help Desk Social Engineering Hack

Clorox alleges Cognizant’s help desk reset passwords/MFA without verification, enabling Scattered Spider hackers to breach its network in 2023. The attack caused manufacturing halts and $380M in damages.
Source: BleepingComputer

IVF Provider Genea Finally Notifies Patients of Dark Web Data Leak

Australian fertility clinic Genea disclosed a February 2025 breach by the Termite gang, exposing patient names, Medicare numbers, and medical records. The 700GB leak was freely downloadable on dark web forums.
Source: DataBreaches

Interlock Ransomware Targets Windows/Linux VMs via Drive-By Downloads

FBI warns Interlock ransomware uses drive-by downloads and ClickFix social engineering to encrypt VMs. The group employs double extortion and tools like AnyDesk for lateral movement.
Impact: Data theft and encryption.
Mitigation: Segment networks, enforce MFA, patch systems.
Source: DataBreaches

NPM Package ‘is’ (28M Weekly Downloads) Hijacked to Spread Malware

The NPM package ‘is’ was compromised after maintainer account phishing, injecting a WebSocket backdoor for RCE. Attackers also pushed malware via @pwa-ib/eslint-plugin-compat and other packages.
Impact: Remote code execution via supply chain attack.
Mitigation: Lock dependencies, audit node_modules, avoid auto-updates.
Source: BleepingComputer

France Travail Hacked: 340K Job Seekers’ Data Stolen

France’s employment agency France Travail was breached for the third time in two years, exposing personal data of 340K users. Attackers exploited undisclosed vulnerabilities.
Source: DataBreaches

Coyote Banking Trojan Abuses Microsoft UIA Framework for Credential Theft

Coyote malware now leverages Windows UI Automation (UIA) to scrape browser tabs/address bars for 75+ bank/crypto sites. This is the first observed UIA abuse in the wild.
Impact: Credential theft bypassing traditional detection.
Mitigation: Monitor UIA process interactions.
Source: The Hacker News

CISA Warns of Active Exploitation of SysAid XXE Vulnerabilities

CVE-2025-2775 and CVE-2025-2776 (CVSS 9.3) in SysAid ITSM allow unauthorized file access and SSRF. Patched in March 2025 but now actively exploited.
Impact: Data exfiltration and system compromise.
Mitigation: Update to SysAid 24.4.60+.
Source: The Hacker News

Google Launches OSS Rebuild to Detect Malicious Open-Source Packages

Google’s OSS Rebuild project verifies package integrity by rebuilding them and comparing outputs. It detects code tampering (e.g., XZ Utils backdoor).
Source: The Hacker News

Brave Browser Blocks Windows Recall from Capturing User Activity

Brave disabled Windows Recall’s screenshot feature by marking its windows as IS_PRIVATE via SetInputScope API, protecting browsing history from Microsoft’s AI feature.
Source: BleepingComputer

Lumma Stealer Resurfaces with New C2 Domains After Takedown

Despite May’s law enforcement takedown, Lumma Stealer returned with new C2 domains and distribution via fake cracks and GitHub repos.
Source: SecurityWeek

UK Bans Ransomware Payments for Critical Infrastructure

UK banned public sector and CNI from paying ransoms, requiring notification to authorities. Critics warn it may drive payments underground.
Source: SecurityWeek

Mimo Threat Actor Targets Magento and Docker for Cryptojacking

Mimo exploits PHP-FPM flaws in Magento and misconfigured Docker to deploy XMRig miners and proxyware (IPRoyal). Uses in-memory payloads for evasion.
Source: The Hacker News

Share this brief: https://svo.bz/z9gj

If you want to support us, you can donate here: Donate