Svoboda Cybersecurity Brief August 19, 2025

Aug 19, 2025

Microsoft’s Nuance settles MOVEit breach lawsuit for $8.5M

Microsoft-owned Nuance agreed to pay $8.5M to settle a class action lawsuit related to the 2023 MOVEit breach, though admitting no liability. The breach impacted 1.225M individuals via Clop ransomware gang’s exploitation of Progress Software’s vulnerability.
Source: DataBreaches

ERMAC Android banking trojan source code leaked

The source code for ERMAC v3.0 was leaked, exposing infrastructure and targeting 700+ banking/crypto apps. The leak includes backend/frontend panels, exfiltration servers, and builder tools, with hardcoded credentials and poor OpSec enabling infrastructure mapping.
Impact: Increased risk of modified variants and detection evasion.
Mitigation: Monitor for anomalous app behaviors, enforce app vetting.
Source: BleepingComputer

Over 800 N-able N-central servers unpatched against critical flaws

CVE-2025-8875 (command injection) and CVE-2025-8876 (insecure deserialization) are actively exploited in N-able’s RMM tool, with 880 vulnerable servers (mostly in US/Canada). CISA mandated federal patches by August 20.
Impact: RCE and privilege escalation risks for MSP-managed networks.
Mitigation: Upgrade to N-central 2025.3.1, enforce MFA for admin accounts.
Source: SecurityWeek

Workday disclosed a breach via a third-party CRM (likely Salesforce), exposing business contact info (names/emails/phones). Linked to ShinyHunters/Scattered Spider campaigns targeting Adidas, Google, and others via OAuth app abuse.
Source: SecurityWeek

Noodlophile malware evolves with copyright phishing lures

The Noodlophile infostealer now uses spear-phishing emails mimicking copyright notices, leveraging Telegram-based C2 and Haihaisoft PDF Reader DLL sideloading. Targets US/APAC enterprises with browser data theft and unreleased features like keylogging.
Impact: Enhanced evasion and reconnaissance capabilities.
Mitigation: Block suspicious Dropbox/MSI installs, monitor registry persistence.
Source: The Hacker News

PipeMagic ransomware exploits Windows CLFS flaw (CVE-2025-29824)

Kaspersky observed PipeMagic backdoor deployed via CVE-2025-29824 (patched April 2025) in attacks on Saudi Arabia/Brazil. Uses Azure-hosted payloads and mimics ChatGPT clients, with modules for LSASS dumping and lateral movement.
Impact: Persistent backdoor access and credential theft.
Mitigation: Patch Windows CLFS flaws, monitor ProcDump usage.
Source: The Hacker News

Malicious PyPI/npm packages exploit dependencies

PyPI’s termncolor and colorinal packages (529+ downloads) delivered malware via DLL sideloading (vcpktsvr.exe) and Zulip C2. npm packages like redux-ace targeted developers with iCloud/browser data theft.
Impact: Supply chain compromise and credential exfiltration.
Mitigation: Audit open-source dependencies, restrict unverified packages.
Source: The Hacker News

5G “Sni5Gect” attack bypasses rogue base station need

A novel 5G attack intercepts pre-authentication messages during reconnections (e.g., post-airplane mode), enabling modem crashes, device tracking, and 4G downgrades. Tested on Pixel 7/S22 with 80% sniffing accuracy.
Impact: Eavesdropping and denial-of-service risks.
Mitigation: Limit sensitive actions during network reconnections.
Source: SecurityWeek

Chinese APT targets Taiwan web hosts with SoundBill loader

UAT-7237 (linked to Volt Typhoon) exploited internet-facing server flaws, deploying SoftEther VPN and the SoundBill loader (Chinese-origin) for Cobalt Strike attacks. Focused on credential theft via WMICmd/SharpWMI.
Impact: Long-term access to high-value targets.
Mitigation: Patch edge devices, monitor WMI/SMB anomalies.
Source: SecurityWeek

Zeppelin ransomware operator’s $2.8M seized by US

The DoJ charged Ianis Antropenko for Zeppelin ransomware attacks, seizing $2.8M in crypto laundered via ChipMixer. Zeppelin targeted healthcare/tech firms via RDP/SonicWall exploits until encryption flaws were exposed in 2022.
Source: SecurityWeek

Share this brief: https://svo.bz/IBSW

If you want to support us, you can donate here: Donate