Svoboda Cybersecurity Brief July 29, 2025

Jul 29, 2025

Scattered Spider exploits VMware ESXi in ransomware attacks on critical US infrastructure

Scattered Spider (UNC3944) has been hijacking VMware ESXi hypervisors in targeted attacks against US retail, airline, and transportation sectors. The group bypasses security using social engineering and living-off-the-land techniques.
Impact: Full hypervisor control, data exfiltration, ransomware deployment.
Mitigation: Enable vSphere lockdown mode, enforce execInstalledOnly, isolate backups, implement phishing-resistant MFA.
Source: The Hacker News

Critical flaws in Tridium Niagara Framework expose smart buildings to RCE

Over a dozen vulnerabilities (e.g., CVE-2025-3936 to CVE-2025-3945) in Tridium’s Niagara Framework could allow network-adjacent attackers to achieve root-level RCE on misconfigured systems.
Impact: Complete system compromise in smart buildings and industrial environments.
Mitigation: Update to Niagara Framework versions 4.14.2u2, 4.15.u1, or 4.10u.11.
Source: The Hacker News

Tea app leak exposes 1.1M private chats and verified user IDs

Two databases from the Tea app (a women-only platform) were leaked, exposing 13,000 selfies, 59,000 images, and 1.1M private messages. Attackers created a “facesmash”-style site to rate leaked selfies.
Source: BleepingComputer

BlackSuit ransomware leak site seized, rebrands as Chaos

Law enforcement seized BlackSuit’s Tor leak site (200+ victims) in Operation Checkmate. Cisco Talos links the group to the emerging Chaos ransomware, noting identical encryption methods and ransom notes.
Source: SecurityWeek

Endgame Gear mouse config tool delivered XRed malware

Between June 26–July 9, Endgame Gear’s official OP1w 4k v2 configuration tool (Endgame_Gear_OP1w_4k_v2_Configuration_Tool_v1_00.exe) was trojanized with the XRed backdoor.
Impact: Keylogging, data exfiltration, remote shell access.
Mitigation: Delete files in C:\ProgramData\Synaptics, reinstall clean tool, change passwords.
Source: BleepingComputer

NASCAR confirms data breach after Medusa ransomware attack

NASCAR admitted personal data (names, SSNs) was stolen in an April 2025 attack, matching Medusa’s claims of 1TB exfiltrated data and a $4M ransom demand.
Source: SecurityWeek

Allianz Life breach exposes 1.4M US customers via third-party CRM

Hackers used social engineering to compromise Allianz Life’s CRM system, accessing PII of most US customers. No evidence of internal network breach found.
Source: SecurityWeek

Post SMTP WordPress plugin flaw (CVE-2025-24000) allows site takeover

A broken access control flaw in Post SMTP (400k+ installations) lets attackers reset admin passwords via exposed email logs. Only ~50% of installations are patched.
Impact: Full site compromise.
Mitigation: Update to version 3.3.
Source: SecurityWeek

AIIMS organ donor portal exposed sensitive medical data

A researcher found a vulnerability in India’s AIIMS ORBO portal, exposing organ donor PII and medical records. Patched after disclosure.
Source: DataBreaches

Cisco ISE exploits (CVE-2025-20281, CVE-2025-20337) now weaponized

Attackers chain command injection and deserialization flaws in Cisco ISE to gain root access, with a public exploit demonstrating container escape via cgroups.
Impact: Full device compromise.
Mitigation: Apply ISE 3.3 Patch 7 or 3.4 Patch 2.
Source: BleepingComputer

Share this brief: https://svo.bz/y8Vn

If you want to support us, you can donate here: Donate