svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief August 02, 2025

Aug 02, 2025

bulletproof VPN - stay anonymous

SonicWall Firewalls Targeted by Akira Ransomware via Potential Zero-Day

Akira ransomware group is actively targeting SonicWall firewall devices, potentially exploiting an unknown zero-day vulnerability in SSL VPN connections. Over 300 organizations have been affected since March 2023, with $42M in ransom payments extorted as of April 2024.
Impact: Unauthorized access leading to data encryption and exfiltration.
Mitigation: Disable SonicWall SSL VPN services temporarily, enable enhanced logging, and block VPN auth from hosting providers.
Source: BleepingComputer

SharePoint Exploited to Deploy 4L4MD4R Ransomware

Palo Alto Networks is investigating attacks leveraging ToolShell vulnerabilities (CVE-2025-49706, CVE-2025-49704) in Microsoft SharePoint to deploy 4L4MD4R ransomware. Attackers disable Windows Defender and bypass certificate validation.
Impact: Data encryption with threats of deletion if decryption is attempted.
Mitigation: Patch SharePoint, monitor for suspicious PowerShell activity, and enforce certificate validation.
Source: DataBreaches

Storm-2603 Deploys DNS-Based Backdoor in LockBit & Warlock Attacks

A suspected Chinese threat actor (Storm-2603) uses AK47 C2 framework with DNS-based backdoors (update.updatemicfosoft[.]com) to deploy LockBit and Warlock ransomware. BYOVD technique leverages Antiy Labs’ ServiceMouse.sys driver to kill security software.
Impact: Persistent access, data theft, and ransomware deployment.
Mitigation: Block C2 domains, audit driver installations, and monitor for masscan/WinPcap usage.
Source: TheHackerNews

Cursor IDE Vulnerability Allows Remote Code Execution via MCP

CVE-2025-54135 (CVSS 8.6) in Cursor IDE enables RCE via poisoned MCP JSON files (e.g., Slack messages). Attackers can rewrite ~/.cursor/mcp.json to execute arbitrary commands.
Impact: Full system compromise under developer privileges.
Mitigation: Upgrade to Cursor v1.3, restrict MCP server integrations, and audit third-party content.
Source: BleepingComputer

Fake OAuth Apps Used in Tycoon Phishing Campaign Targeting Microsoft 365

Attackers impersonate RingCentral, Adobe, and DocuSign with fake OAuth apps to steal credentials via Tycoon PhaaS. Over 900 Microsoft 365 environments compromised in 2025.
Impact: Account takeover and data exfiltration.
Mitigation: Enforce MFA, disable legacy auth, and require admin consent for third-party apps.
Source: TheHackerNews

AI-Generated npm Package Steals Solana Wallets

Malicious package @kodane/patch-manager (1,500+ downloads) uses postinstall scripts to drain Solana wallets via C2 server sweeper-monitor-production.up.railway[.]app. Likely authored using Anthropic Claude AI.
Impact: Cryptocurrency theft via compromised wallet files.
Mitigation: Audit npm dependencies, block suspicious domains, and monitor postinstall scripts.
Source: TheHackerNews

Russian APT Secret Blizzard Deploys ApolloShadow Malware via ISP Hijacking

Russian FSB-linked group uses AitM attacks targeting Moscow embassies, deploying ApolloShadow malware with fake Kaspersky certificates. Creates persistent admin account UpdatusUser.
Impact: Long-term espionage and data leakage.
Mitigation: Use VPNs, enforce least privilege, and monitor certutil usage.
Source: SecurityWeek

$1M Prize for WhatsApp Zero-Click Exploit at Pwn2Own Ireland 2025

ZDI offers up to $1M for zero-click RCE in WhatsApp, with additional prizes for Meta wearables and smartphones (USB exploits newly added).
Source: BleepingComputer

Ransomware Gangs Escalate to Physical Threats

40% of victims report physical violence threats from ransomware groups like ALPHV, alongside regulatory complaints (47%) and data destruction (63%).
Source: DataBreaches

Oklahoma Strengthens Data Breach Notification Laws

Senate Bill 626 broadens notification requirements and adds a “safe harbor” for compliant security measures, effective January 2026.
Source: DataBreaches

Northwest Radiologists Notifies 350K Patients After 6-Month Delay

HIPAA breach involved SSNs, medical records, and insurance data. No ransomware group claimed responsibility, but extortion is suspected.
Source: DataBreaches

Pi-hole Data Breach via GiveWP Plugin

30,000 donors exposed due to GiveWP flaw leaking names/emails in page source. No financial data compromised.
Source: BleepingComputer

Genoa Community Hospital Discloses Email Breach

Unauthorized access to employee email exposed patient SSNs and medical data. No extortion observed.
Source: DataBreaches

Cycle & Carriage Singapore Exposes 147K Customer Records

CRM system breach leaked names and contact info via unauthorized access on July 14.
Source: DataBreaches

Share this brief: https://svo.bz/grkF

If you want to support us, you can donate here: Donate