svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief September 22, 2025

Private VPN — just $1.2/mo

Microsoft Entra ID Flaw Allowed Full Tenant Compromise

A critical flaw (CVE-2025-55241) in Microsoft Entra ID’s legacy Azure AD Graph API combined with undocumented “actor tokens” allowed attackers to escalate to Global Admin privileges in any tenant. Exploiting the flaw bypassed logging and Conditional Access, enabling silent attacks. Researcher Dirk-jan Mollema disclosed the issue, patched by Microsoft on September 4.
Impact: Full tenant takeover, including user impersonation and configuration changes, with minimal logging.
Mitigation: Apply Microsoft’s patch, migrate from Azure AD Graph to Microsoft Graph API, and monitor for anomalous admin activity.
Source: BleepingComputer

European Airport Disruptions Worsen After Collins Aerospace Cyberattack

A cyberattack on Collins Aerospace’s Multi-User System Environment (MUSE) software disrupted check-in systems at major EU airports (Brussels, Berlin, London), forcing manual operations and 140+ flight cancellations. The breach, possibly linked to ransomware, persists with delays expected to continue.
Source: SecurityWeek

DPRK’s Lazarus Group Expands Targeting with “ClickFix” Lures and BeaverTail Malware

North Korean hackers (Lazarus subgroup) used ClickFix social engineering to deliver BeaverTail malware via fake job platforms, targeting crypto marketing/trading roles (not just developers). The malware, now compiled for cross-platform use, steals browser data and drops InvisibleFerret backdoor. Campaigns show tactical shifts and infrastructure agility.
Source: The Hacker News

Pennsylvania AG Office Confirms Ransomware Attack, Data Exposure

The Pennsylvania Attorney General’s Office disclosed a ransomware attack (August 11) encrypting files, with no ransom paid. INC Ransom claimed the breach on its leak site, but data exposure remains unconfirmed. Limited notifications issued to affected individuals.
Source: DataBreaches

Scattered LAPSUS$ Hunters Continue Attacks Despite “Goodbye” Message

The Scattered LAPSUS$ Hunters collective persists in targeting airlines/financial sectors despite a public “retirement” announcement, possibly linked to recent airport outages (e.g., Collins Aerospace). The group’s fragmented structure suggests only partial adherence to shutdown claims, with continued activity on Telegram.
Source: DataBreaches

Share this brief: https://svo.bz/oFwh

If you want to support us, you can donate here: Donate