Svoboda Cybersecurity Brief September 23, 2025

Stellantis Data Breach via Third-Party Salesforce Hack

ShinyHunters claimed responsibility for breaching Stellantis’ North American customer service provider, exposing 18 million Salesforce records including names and contact details. The attack exploited compromised OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce.
Impact: Customer contact data exposed, potential phishing risks.
Mitigation: Monitor for phishing attempts, revoke compromised OAuth tokens, enforce MFA.
Source: BleepingComputer

European Airport Disruptions Due to Ransomware Attack

A ransomware attack on Collins Aerospace disrupted check-in systems at major European airports (Heathrow, Brussels, Berlin). The attack targeted ARINC SelfServ vMUSE systems, forcing manual operations and flight cancellations.
Impact: Operational disruptions, potential data compromise.
Mitigation: Isolate affected systems, audit exposed services, apply backups.
Source: SecurityWeek

Critical Microsoft Entra ID Flaw Allows Global Admin Impersonation

CVE-2025-55241 (CVSS 10.0) in Azure Entra ID enabled attackers to forge tokens for cross-tenant admin impersonation, bypassing MFA and logging. The flaw resided in the deprecated Azure AD Graph API’s token validation.
Impact: Full tenant compromise, data exfiltration.
Mitigation: Migrate to Microsoft Graph API, monitor token issuance.
Source: The Hacker News

macOS InfoStealer Campaign via Fake GitHub Repositories

Threat actors impersonated LastPass, 1Password, and 100+ brands on GitHub to distribute the Atomic (AMOS) infostealer. Victims were tricked via SEO-optimized repos and terminal commands (curl-based payloads).
Impact: Credential theft, cryptocurrency wallet compromise.
Mitigation: Verify official software sources, disable auto-execution of terminal commands.
Source: BleepingComputer

New EDR-Freeze Tool Bypasses Security via Windows WER

EDR-Freeze abuses Windows Error Reporting (WerFaultSecure) and MiniDumpWriteDump API to indefinitely suspend EDR processes. The tool operates in user mode, eliminating the need for kernel drivers.
Impact: Evasion of endpoint detection, persistence.
Mitigation: Monitor WER processes, restrict service control manager access.
Source: BleepingComputer

ComicForm Hackers Deploy Formbook Malware in Eurasian Attacks

The ComicForm group targeted Belarus, Kazakhstan, and Russia with phishing emails delivering Formbook malware via obfuscated .NET loaders. Lures included fake invoices and reconciliation acts.
Impact: Data theft, credential harvesting.
Mitigation: Block .ru/.by/.kz email domains, deploy endpoint detection.
Source: The Hacker News

L1TF Reloaded Attack Leaks Cloud VM Memory via Half-Spectre

Researchers combined L1TF (Foreshadow) and half-Spectre gadgets to leak TLS keys from Google Cloud VMs. The attack required 14.2 hours on average to extract sensitive data.
Impact: Cross-tenant memory leaks, credential exposure.
Mitigation: Apply microarchitectural patches, isolate critical workloads.
Source: SecurityWeek

Fortra Patches Critical GoAnywhere MFT RCE Vulnerability

CVE-2025-10035 (CVSS 10) in GoAnywhere MFT allows unauthenticated RCE via forged license signatures. The flaw affects versions before 7.8.4 and 7.6.3.
Impact: Remote code execution, data theft.
Mitigation: Restrict admin console access, monitor audit logs.
Source: SecurityWeek

“Cancel the Hate” App Exposes User Data

A conservative activism app “Cancel the Hate” leaked user emails and phone numbers due to a flaw discovered by researcher BobDaHacker. Data was exposed despite privacy settings.
Impact: Personal data exposure, doxxing risks.
Mitigation: Audit app permissions, enforce data minimization.
Source: DataBreaches

FBI Warns of Spoofed IC3 Cybercrime Reporting Site

Threat actors created fake IC3.gov domains to steal personal data. The FBI advised users to type the URL manually and avoid sponsored search results.
Impact: Credential theft, fraud.
Mitigation: Bookmark official sites, verify SSL certificates.
Source: SecurityWeek

Share this brief: https://svo.bz/ziEH