Svoboda Cybersecurity Brief July 30, 2025

Jul 30, 2025

St. Paul Cyberattack Triggers National Guard Deployment

A cyberattack on St. Paul, Minnesota, prompted Governor Tim Walz to deploy the National Guard and declare a state of emergency. The attack disrupted city services, including online payments and library systems, though emergency services remained operational. The incident exceeded local response capabilities, requiring state and federal collaboration.
Source: DataBreaches.net

Russian Airline Aeroflot Grounded by Hacktivist Cyberattack

Hacktivist groups Silent Crow and Cyberpartisans BY claimed responsibility for a cyberattack on Aeroflot, Russia’s largest airline, causing 60+ flight cancellations. The attackers allegedly infiltrated Aeroflot’s IT infrastructure for over a year, exfiltrating databases and wiping 7,000 servers. The attack highlights ongoing cyber warfare linked to geopolitical tensions.
Source: BleepingComputer

SAP NetWeaver Exploit Deploys Linux Auto-Color Malware

Cybercriminals exploited CVE-2025-31324, a critical SAP NetWeaver vulnerability, to deploy the evasive Auto-Color Linux malware on a U.S. chemicals company. The malware uses ld.so.preload for persistence and hides its C2 communications if unreachable, complicating detection.
Impact: Remote code execution and data exfiltration.
Mitigation: Apply SAP patches and monitor for unauthorized binary uploads.
Source: BleepingComputer

French Telecom Giant Orange Discloses Cyberattack

Orange reported a cyberattack on its systems, causing operational disruptions for French customers. The company isolated affected systems and found no evidence of data theft. The incident resembles past breaches attributed to China’s Salt Typhoon espionage group.
Source: BleepingComputer

FBI Seizes $2.4M in Bitcoin from Chaos Ransomware Affiliate

The FBI confiscated 20.2891382 BTC from a Chaos ransomware affiliate linked to attacks on Texas companies. The new Chaos operation is a rebrand of BlackSuit, itself a Conti ransomware offshoot. The seizure follows the takedown of BlackSuit’s dark web infrastructure.
Source: BleepingComputer

Lovense Sex Toy App Exposes User Email Addresses

A zero-day flaw in Lovense’s app allowed attackers to reveal users’ email addresses using only their usernames. The vulnerability, reported in March 2025, was partially fixed but remains exploitable due to backward compatibility concerns.
Impact: Privacy breaches and potential doxxing risks.
Mitigation: Users should avoid sharing usernames publicly until Lovense completes its patch rollout.
Source: BleepingComputer

Wiz Uncovers Critical Access Bypass in AI Coding Platform Base44

A vulnerability in Wix-owned Base44 allowed attackers to bypass authentication and access private applications by manipulating app_id values. The flaw was patched within 24 hours of disclosure, with no evidence of exploitation.
Impact: Unauthorized access to sensitive app data.
Mitigation: Update Base44 instances and enforce strict app_id validation.
Source: The Hacker News

PyPI Warns of Phishing Campaign Using Fake Verification Emails

Attackers impersonated PyPI via noreply@pypj[.]org emails, directing users to a fake site that harvested credentials. The campaign mirrors similar npm phishing attacks using typosquatted domains.
Impact: Credential theft and potential supply chain compromises.
Mitigation: Verify email domains and avoid clicking unsolicited links.
Source: The Hacker News

Chaos RaaS Emerges After BlackSuit Takedown

The new Chaos ransomware operation, linked to BlackSuit/Conti, demands $300K ransoms and uses phishing/RMM tools for initial access. Its multithreaded encryption targets Windows, ESXi, Linux, and NAS systems.
Impact: Data encryption and exfiltration.
Mitigation: Block unauthorized RMM tools and enforce MFA for admin accounts.
Source: The Hacker News

CISA Adds PaperCut CSRF Flaw to KEV Catalog

CVE-2023-2533, a CSRF flaw in PaperCut NG/MF, was added to CISA’s KEV list due to active exploitation. The bug allows RCE if an admin clicks a malicious link.
Impact: Remote code execution and system compromise.
Mitigation: Update to PaperCut NG/MF versions 22.1.1, 21.2.12, or 20.1.8.
Source: The Hacker News

Lenovo Firmware Vulnerabilities Enable Persistent Implants

Six flaws (CVE‑2025‑4421 to CVE‑2025‑4426) in Lenovo all-in-one desktops’ System Management Mode (SMM) could bypass Secure Boot and deploy persistent malware.
Impact: Firmware-level compromise surviving OS reinstallation.
Mitigation: Apply Lenovo firmware updates and restrict physical access.
Source: SecurityWeek

macOS Sploitlight Vulnerability Leaks Sensitive Data

CVE-2025-31199 in macOS allowed attackers to bypass TCC protections via Spotlight plugins, exposing geolocation, photos, and iCloud-linked device data. Patched in macOS Sequoia 15.4.
Impact: Unauthorized access to protected user data.
Mitigation: Update to macOS 15.4+ and audit Spotlight plugin permissions.
Source: SecurityWeek

SarangTrap Malware Targets Asian Mobile Users via Fake Apps

Over 250 malicious Android apps and 80 domains impersonated dating and social platforms to steal contacts and images. iOS users were tricked into installing malicious configuration profiles.
Impact: Data theft and blackmail risks.
Mitigation: Avoid unofficial app stores and review device permissions.
Source: The Hacker News

Modern JavaScript Injection Threats Outpace React Protections

Despite React’s XSS safeguards, attacks now exploit supply chain compromises, prototype pollution, and AI-generated code. The Polyfill.io breach (June 2024) affected 100,000+ sites.
Impact: Client-side data theft and malicious code execution.
Mitigation: Use context-aware encoding and audit third-party dependencies.
Source: The Hacker News

Share this brief: https://svo.bz/PXRa

If you want to support us, you can donate here: Donate