svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief September 24, 2025

Private VPN — just $1.2/mo

Boyd Gaming discloses data breach after cyberattack

US casino operator Boyd Gaming suffered a cyberattack resulting in unauthorized data exfiltration, including employee and customer information. The company notified regulators and believes the incident won’t materially impact operations, citing cybersecurity insurance coverage.
Source: BleepingComputer

Cloudflare mitigates record-breaking 222 Tbps DDoS attack

Cloudflare defended against the largest volumetric DDoS attack recorded, peaking at 222 Tbps/10.6 Bpps for 40 seconds. The attack used HTTP/2 Rapid Reset techniques and was linked to the AISURU botnet (300,000 infected IoT devices).
Source: BleepingComputer

CISA: Federal agency breached via unpatched GeoServer exploit

Attackers exploited CVE-2024-36401 (critical RCE in GeoServer) to compromise a federal agency, deploying web shells (China Chopper) and moving laterally via brute force. The breach went undetected for 3 weeks until EDR alerts triggered SOC response.
Impact: Full network compromise via unauthenticated RCE.
Mitigation: Patch vulnerable GeoServer instances; monitor CISA KEV catalog.
Source: BleepingComputer

Supermicro BMC flaws allow malicious firmware updates

CVE-2025-7937 and CVE-2025-6198 bypass signature verification in Supermicro BMC firmware, enabling attackers to persist via malicious updates. These vulnerabilities circumvent the Root of Trust security feature.
Impact: Full BMC and host OS compromise.
Mitigation: Apply latest Supermicro BMC firmware updates.
Source: TheHackerNews

SolarWinds patches third RCE bypass in Web Help Desk

CVE-2025-26399 (CVSS 9.8) is the third patch attempt for an AjaxProxy deserialization flaw (previously CVE-2024-28986, exploited in wild). Unauthenticated attackers can execute SYSTEM-level commands.
Impact: Remote code execution without authentication.
Mitigation: Apply Web Help Desk 12.8.7 HF1 hotfix.
Source: SecurityWeek

SonicWall releases firmware to remove SMA100 rootkits

New firmware (10.2.2.2-92sv) for SMA 100 series devices removes OVERSTEP rootkit malware linked to UNC6148 threat actor. The malware steals credentials, OTP seeds, and maintains persistence.
Impact: Complete appliance compromise and credential theft.
Mitigation: Upgrade firmware before October 1 EoL date.
Source: BleepingComputer

GitHub mandates 2FA for npm to counter supply chain attacks

GitHub will enforce FIDO-based 2FA, 7-day token lifetimes, and trusted publishing for npm to combat attacks like Shai-Hulud (worm-style secret theft). Classic tokens and TOTP 2FA will be deprecated.
Source: TheHackerNews

ShadowV2 botnet exploits Docker for DDoS-as-a-service

A new botnet infects misconfigured AWS Docker instances via Python scripts, deploying a Go-based RAT with HTTP/2 Rapid Reset attack capabilities. Operators offer a self-service portal for customers to launch attacks.
Impact: High-volume DDoS attacks and container compromise.
Mitigation: Secure Docker APIs; monitor anomalous container creation.
Source: SecurityWeek

Stellantis breach via third-party Salesforce compromise

Automaker Stellantis confirmed a breach of North American customer contact data through a compromised third-party platform, likely its Salesforce instance targeted by ShinyHunters.
Source: SecurityWeek

Secret Service dismantles 300 SIM servers near UN summit

Authorities seized a network of 300 SIM servers (100k SIM cards) near NYC capable of disrupting cellular networks during UN General Assembly. Devices could enable encrypted comms and DDoS attacks.
Source: TheHackerNews

Libraesva patches ESG bug exploited by state hackers

CVE-2025-59689 (medium severity) in Libraesva Email Security Gateway allowed command injection via malicious email attachments. A state-sponsored actor exploited it before emergency patching within 17 hours.
Impact: Non-privileged RCE via email processing.
Mitigation: Update to patched versions (5.0.31+, 5.1.20+).
Source: BleepingComputer

NPM package “fezbox” steals cookies via QR code steganography

The malicious npm package fetched a QR code containing obfuscated JavaScript to harvest cookies and credentials, evading detection via reversed URL strings. Downloaded 327 times before removal.
Impact: Credential theft from development environments.
Mitigation: Audit npm dependencies; monitor for IOCs like res.cloudinary.com URLs.
Source: BleepingComputer

Eurojust arrests 5 in €100M crypto fraud scheme

A cross-border operation dismantled a fraud ring that operated since 2018, luring victims with fake crypto investment platforms across 23 countries. Funds were laundered through Lithuanian bank accounts.
Source: TheHackerNews

Scattered Spider suspect arrested in Las Vegas

A juvenile allegedly involved in casino cyberattacks surrendered to authorities, facing identity theft and computer intrusion charges. This follows UK arrests of two other suspected group members.
Source: SecurityWeek

BadIIS malware uses SEO poisoning for traffic hijacking

CL-UNK-1037 threat actor deployed IIS modules to manipulate search rankings, redirecting victims to scam sites. The malware selectively served malicious content to search crawlers.
Impact: Search engine abuse and web traffic manipulation.
Mitigation: Monitor IIS modules for unauthorized changes.
Source: TheHackerNews

Jaguar Land Rover extends shutdown post-cyberattack

Production remains halted until October 1 following an August 31 attack impacting UK operations. The company is working with NCSC but hasn’t disclosed attack details.
Source: SecurityWeek

WhatsApp introduces on-device message translation

New feature translates chats in 19 languages (iOS) or 6 languages (Android) locally without sending data to servers, enhancing privacy. Rollout began September 17.
Source: BleepingComputer

Share this brief: https://svo.bz/19Ip

If you want to support us, you can donate here: Donate