Svoboda Cybersecurity Brief September 17, 2025

Scattered Spider Continues Attacks Despite Retirement Claims

Scattered Spider remains active despite announcing retirement, with ReliaQuest observing new attacks on a U.S. bank. Attackers used social engineering to reset an executive’s Azure AD password, then moved laterally via Citrix, VPN, and VMware ESXi.
Impact: Financial sector remains at risk of data exfiltration and network compromise.
Mitigation: Enforce MFA, monitor for abnormal password resets, and restrict lateral movement via network segmentation.
Source: DataBreaches

Self-Replicating Worm Infects 187 npm Packages

A worm dubbed Shai-Hulud compromised 187 npm packages, stealing developer credentials via TruffleHog and publishing them on GitHub. The malware auto-propagates by infecting packages maintained by compromised accounts. CrowdStrike confirmed some of its packages were briefly affected.
Impact: Supply chain attack risks credential theft and further package compromise.
Mitigation: Rotate npm/GitHub tokens, audit dependencies, and monitor for unusual repository activity.
Source: KrebsOnSecurity

Critical Chaos Mesh Flaws Allow Kubernetes Cluster Takeover

Four vulnerabilities (CVE-2025-59358 to CVE-2025-59361) in Chaos Mesh’s GraphQL server enable RCE and cluster takeover. Attackers with minimal access can manipulate fault injections or execute OS commands.
Impact: Full compromise of Kubernetes environments.
Mitigation: Upgrade to Chaos Mesh 2.7.3 or restrict network traffic to the Chaos Mesh daemon.
Source: The Hacker News

Phoenix RowHammer Attack Bypasses DDR5 Protections

ETH Zurich researchers demonstrated CVE-2025-6202, a RowHammer variant that bypasses DDR5’s Target Row Refresh (TRR). The exploit gains root access in 109 seconds on SK Hynix hardware.
Impact: Privilege escalation and data corruption in cloud/enterprise environments.
Mitigation: Triple DDR5 refresh rates (8.4% overhead) or deploy per-row activation counters.
Source: SecurityWeek

224 Android Apps Caught in SlopAds Ad Fraud Campaign

38M downloads of 224 apps delivered FatModule via steganography-hidden PNGs, generating 2.3B fraudulent ad bids/day. Apps checked installation source to evade detection during security reviews.
Impact: Monetization fraud and potential secondary payload delivery.
Mitigation: Remove identified apps (blocklisted by Google Play Protect) and monitor for hidden WebViews.
Source: BleepingComputer

Jaguar Land Rover Extends Shutdown After Cyberattack

JLR extended production halts until September 24 following a cyberattack claimed by Scattered Lapsus$ Hunters. Attackers accessed SAP systems and deployed ransomware.
Impact: Operational disruption and potential data exfiltration.
Mitigation: Isolate critical systems, audit OAuth/SAP permissions, and monitor leak sites.
Source: BleepingComputer

Apple Backports Zero-Day Patch for Older Devices

CVE-2025-43300, an ImageIO out-of-bounds write bug chained with WhatsApp’s CVE-2025-55177, was patched for iOS 15/16 on legacy devices (iPhone 6s–X). Exploited in “extremely sophisticated” spyware attacks.
Impact: Targeted device compromise via malicious images.
Mitigation: Update to iOS 15.8.5/iOS 16.7.12.
Source: The Hacker News

FileFix Attack Drops StealC via Meta Phishing

A multilingual phishing site tricks users into pasting PowerShell commands in File Explorer, delivering StealC via steganography-hidden payloads in Bitbucket-hosted images.
Impact: Credential theft from browsers, cloud services, and crypto wallets.
Mitigation: Block Bitbucket domains for executable downloads and educate teams on FileFix tactics.
Source: The Hacker News

BreachForums Admin Resentenced to 3 Years

“Pompompurin” (Conor Fitzpatrick) received 36 months for operating BreachForums, soliciting stolen data, and possessing CSAM. Original 20-year supervised release term was upheld.
Source: BleepingComputer

SEC Softens Crypto Enforcement Approach

New SEC Chair Paul Atkins will notify crypto firms of technical violations before enforcement, reversing prior aggressive policies. Focus remains on fraud cases.
Source: DataBreaches

China Mandates 1-Hour Cyber Incident Reporting

New CAC rules require network operators to report serious incidents within 60 minutes (30 for critical events), effective November 1. Non-compliance risks penalties.
Source: DataBreaches

ChatGPT Calendar Exploit Steals Emails via MCP

EdisonWatch demonstrated how a malicious calendar invite with a jailbreak prompt tricks ChatGPT into exfiltrating emails via Model Context Protocol (MCP) integration.
Impact: Unauthorized email access via AI tool abuse.
Mitigation: Disable MCP in developer mode or require manual approval for AI actions.
Source: SecurityWeek

Share this brief: https://svo.bz/ih0G