Svoboda Cybersecurity Brief August 28, 2025
Aug 28, 2025bulletproof VPN - stay anonymous
Ransomware attack impacts 200+ Swedish municipalities via IT supplier
A ransomware attack on Swedish software provider Miljödata disrupted HR and sick leave management systems for ~200 municipalities. Sensitive data may be breached, with attackers demanding 1.5 BTC ($168k). Sweden’s CERT and police are investigating.
Impact: Critical disruption to municipal services and potential exposure of sensitive HR/health data.
Mitigation: Isolate affected systems, restore from backups, and audit for data exfiltration.
Source: BleepingComputer
Storm-0501 shifts to cloud-native ransomware, bypassing encryption
Microsoft reports the Storm-0501 group now abuses cloud-native features (Azure Key Vaults, data destruction) for extortion, avoiding traditional ransomware encryption. Uses Entra ID compromises and MFA gaps to escalate to Global Admin roles.
Impact: Data exfiltration, irreversible backup destruction, and extortion without malware deployment.
Mitigation: Enforce MFA, monitor Entra ID Sync permissions, and restrict Azure role assignments.
Source: BleepingComputer
28,200+ Citrix instances vulnerable to exploited zero-day (CVE-2025-7775)
CVE-2025-7775 (CVSS 9.2) allows RCE/DoS in NetScaler ADC/Gateway. Actively exploited, with Shadowserver reporting 28,200+ exposed instances. US CISA mandates patching by August 28.
Impact: Full device compromise for VPN/LB configurations, especially IPv6-bound services.
Mitigation: Immediate upgrade to fixed versions (e.g., 14.1-47.48). Disable unused IPv6 services.
Source: BleepingComputer
FreePBX zero-day exploited to compromise VoIP servers
Attackers breached FreePBX servers via a zero-day in the Administrator Control Panel (ACP), deploying shells (e.g., /var/www/html/.clean.sh). Over 3,000 SIP extensions affected.
Impact: Arbitrary command execution as Asterisk user, call fraud, and credential theft.
Mitigation: Patch via EDGE module or block ACP access; rotate SIP credentials.
Source: BleepingComputer
Healthcare Services Group breach exposes 624,000 people
HSGI disclosed a 2024 breach where attackers accessed SSNs, financial data, and credentials. Took 10 months to notify victims.
Impact: High-risk identity theft and credential-stuffing opportunities.
Mitigation: Enroll in offered credit monitoring; rotate all exposed credentials.
Source: BleepingComputer
Chinese Salt Typhoon hackers linked to tech firms, exploit network gear
NSA/NCSC ties Salt Typhoon to 3 Chinese firms (e.g., Sichuan Juxinhe). Targets telecoms/govs via CVE-2024-21887 (Ivanti), CVE-2024-3400 (Palo Alto), and CVE-2018-0171 (Cisco SMI).
Impact: Long-term espionage, data theft, and network pivoting.
Mitigation: Patch edge devices, disable Cisco SMI/Guest Shell, monitor GRE tunnels.
Source: BleepingComputer
First AI-powered ransomware (PromptLock) uses GPT-OSS:20b model
Proof-of-concept ransomware PromptLock generates Lua scripts via OpenAI’s GPT-OSS:20b to encrypt files (SPECK 128-bit). Found on VirusTotal, not yet active.
Impact: Potential for cross-platform, polymorphic attacks if operationalized.
Mitigation: Monitor local Ollama API traffic; restrict AI model execution.
Source: BleepingComputer
UNC6395 steals Salesforce data via compromised Salesloft OAuth tokens
Attackers hijacked Drift AI chat agent tokens to exfiltrate AWS keys, Snowflake tokens from 700+ Salesforce instances.
Impact: Credential harvesting for downstream supply-chain attacks.
Mitigation: Revoke Drift OAuth tokens, audit query logs, rotate exposed secrets.
Source: SecurityWeek
Nevada govt offices shut after disruptive cyberattack
State systems were knocked offline on August 25, with recovery ongoing. No ransomware group has claimed responsibility.
Impact: Operational disruption to public services.
Mitigation: Isolate networks, restore from clean backups.
Source: SecurityWeek
Mustang Panda (UNC6384) hijacks web traffic to deliver PlugX
Uses captive portal redirects and fake Adobe updates signed with Chengdu Nuoxin certs to drop StaticPlugin → PlugX.
Impact: Diplomat targeting via AitM and living-off-land tactics.
Mitigation: Block malicious certs; inspect edge device configs.
Source: SecurityWeek
Share this brief: https://svo.bz/UrYU
If you want to support us, you can donate here: Donate