svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief August 15, 2025

Aug 15, 2025

bulletproof VPN - stay anonymous

Criminal Duo Guilty in $1.6M Hospital Data Fraud Scheme

Two defendants pled guilty to conspiracy to commit wire and bank fraud after stealing 4,005 patient records from Montefiore Medical Center (Bronx) and attempting to fraudulently obtain $1.6M in pandemic relief funds. The insider, Wilkins Estrella, was a hospital clerk who accessed PHI (names, SSNs, insurance data).
Impact: $951,618.20 in actual losses, patient data compromised.
Mitigation: Strengthened internal audits, MFA for sensitive systems, employee monitoring.
Source: DataBreaches.net

Pro-Russian Hackers Sabotage Norwegian Dam via OT Breach

Norwegian authorities confirmed pro-Russian hackers remotely opened outflow valves at the Bremanger dam in April 2025, releasing 1.9M gallons of water. Attackers exploited OT systems, mimicking Sandworm (APT44) tactics to demonstrate hybrid warfare capabilities.
Impact: Operational disruption, geopolitical escalation risk.
Mitigation: Air-gap critical OT systems, deploy network segmentation, monitor for unusual valve commands.
Source: BleepingComputer

Crypto24 Ransomware Evades EDR with Custom Blinding Tool

Crypto24 leverages custom RealBlindingEDR variant to disable kernel drivers from Trend Micro, Kaspersky, SentinelOne, and others. Attacks target finance, manufacturing, and tech sectors via SMB lateral movement and Google Drive exfiltration.
Impact: Data theft, ransomware deployment, bypassed EDR detection.
Mitigation: Patch SMB vulnerabilities, restrict Google Drive API permissions, monitor for WinMainSvc.dll/MSRuntime.dll.
Source: BleepingComputer

PhantomCard NFC Relay Malware Steals Card Data in Brazil

Android trojan PhantomCard (NFU Pay MaaS) abuses NFC to relay card details to POS terminals, mimicking “Proteção Cartões” app. Attackers trick victims into entering PINs via social engineering.
Impact: Fraudulent transactions, global NFC payment abuse.
Mitigation: Block sideloaded APKs, enforce MFA for NFC transactions, monitor for com.nfupay.s145.
Source: TheHackerNews

HTTP/2 MadeYouReset Vulnerability Enables Massive DDoS

CVE-2025-8671 allows unbounded concurrent requests via malformed frames, bypassing Rapid Reset mitigations. Impacts Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), Netty (CVE-2025-55163).
Impact: Resource exhaustion, service disruption.
Mitigation: Apply vendor patches, limit HTTP/2 stream resets, deploy rate limiting.
Source: TheHackerNews

N-able N-central Flaws Exploited in Auth-Bypass Attacks

CVE-2025-8875 (insecure deserialization) and CVE-2025-8876 (command injection) allow authenticated attackers to execute arbitrary code. CISA confirms exploitation, urges patching to 2025.3.1.
Impact: MSP supply chain compromise, lateral movement.
Mitigation: Patch immediately, enforce MFA for admin accounts, audit on-prem instances.
Source: SecurityWeek

Xerox FreeFlow Core Flaws Allow RCE via XXE/Path Traversal

CVE-2025-8355 (XXE) and CVE-2025-8356 (path traversal) in FreeFlow Core 8.0.5 let unauthenticated attackers deploy webshells. Prepress automation platform used by governments/universities.
Impact: Full system compromise, data exfiltration.
Mitigation: Update to v8.0.5, disable external XML parsing, restrict file uploads.
Source: SecurityWeek

SquareX Demonstrates Passkey Bypass via WebAuthn Hijacking

Attackers manipulate WebAuthn API flows via malicious browser extensions or XSS, bypassing Face ID/fingerprint authentication. Requires JavaScript injection or compromised extension.
Impact: Account takeover despite passkey protection.
Mitigation: Audit browser extensions, implement CSP headers, monitor WebAuthn anomalies.
Source: SecurityWeek

CrossC2 Expands Cobalt Strike to Linux/macOS Targets

JPCERT/CC observes CrossC2 framework enabling cross-platform beaconing, paired with ReadNimeLoader (Nim-based) and OdinLdr shellcode loader. Linked to Black Basta ransomware campaigns.
Impact: Lateral movement, ransomware deployment.
Mitigation: Block unusual java.exe sideloading, monitor for ELF SystemBC variants.
Source: TheHackerNews

$300M Crypto Seized in Global Anti-Fraud Operations

T3 FCU (TRM Labs, Binance, Tether) froze $250M, while Project Atlas (Canada/US) blocked $50M USDT tied to romance scams. Chainalysis traced 2,000 wallets across 14 countries.
Source: BleepingComputer

Booking.com Phishing Abuses Unicode “ん” Character

Attackers use U+3093 (hiragana ん) to mimic legitimate URLs (e.g., booking.comんdetailん[...]). Delivers MSI payloads via updatessoftware.b-cdn[.]net.
Impact: Credential theft, malware infection.
Mitigation: Train users to inspect URLs, block b-cdn[.]net, enforce attachment filtering.
Source: BleepingComputer

Share this brief: https://svo.bz/BoCg

If you want to support us, you can donate here: Donate