Svoboda Cybersecurity Brief September 26, 2025

Cisco ASA zero-days exploited in attacks, CISA issues emergency directive

Cisco warned of two actively exploited zero-days (CVE-2025-20333 and CVE-2025-20362) in ASA and Firepower Threat Defense software, allowing code execution and unauthorized endpoint access. CISA ordered federal agencies to patch within 24 hours, linking attacks to the ArcaneDoor campaign by UAT4356 (STORM-1849).
Impact: Attacks deploy LINE VIPER malware and GRUB bootkit “RayInitiator” for persistence.
Mitigation: Patch immediately, disconnect compromised devices, enforce secure boot.
Source: The Hacker News

Scattered Spider-linked teen arrested for 2023 casino cyberattacks

A 17-year-old suspect tied to MGM Resorts and Caesars Entertainment breaches was released under supervision but faces charges including extortion and unlawful computer acts. Prosecutors seek to try him as an adult, citing $100M+ damages from the attacks.
Source: DataBreaches.net

North Korea’s DeceptiveDevelopment targets crypto devs with AkdoorTea backdoor

North Korean hackers (UNC5342) impersonated recruiters to deliver multi-platform malware, including new AkdoorTea RAT, TsunamiKit, and Tropidoor, via fake coding tests. Victims included cryptocurrency and Web3 developers.
Impact: Data theft, cryptocurrency wallet compromise, and long-term network access.
Mitigation: Verify job offers, inspect GitHub repos before cloning, sandbox untrusted code.
Source: The Hacker News

Malicious npm package steals crypto wallet keys from Rust developers

Fake crates faster_log and async_println (8,500+ downloads) exfiltrated Ethereum/Solana private keys via Cloudflare Worker (mainnet[.]solana-rpc-pool[.]workers[.]dev). Cloned legitimate logging libraries to evade detection.
Impact: Cryptocurrency theft from developer environments.
Mitigation: Audit dependencies, verify publisher reputation, rotate compromised keys.
Source: BleepingComputer

Salesforce patches ForcedLeak AI prompt injection flaw

Noma Security disclosed CVE-2025-20356 (CVSS 9.4), where attackers hijacked Salesforce’s Agentforce AI via expired domains to steal CRM data via Web-to-Lead forms.
Impact: Unauthorized access to sensitive lead data.
Mitigation: Update Agentforce, enforce URL allowlists, audit lead submissions.
Source: SecurityWeek

New XCSSET macOS malware variant targets Xcode developers

Microsoft detected a macOS malware variant infecting Xcode projects, stealing browser data and cryptocurrency via clipboard hijacking. Uses fake System Settings.app for persistence.
Impact: Data theft and financial fraud via address swapping.
Mitigation: Update macOS/Xcode, audit shared projects, monitor clipboard activity.
Source: BleepingComputer

Co-op loses $107M following Scattered Spider ransomware attack

The UK retailer reported £80M ($107M) losses from April 2025 ransomware attack, with 6.5M members’ data stolen. Four suspects (17–20 years old) were arrested in July.
Source: BleepingComputer

Chinese hackers compromise US defense contractors via edge devices

RedNovember group breached defense, aerospace, and govt targets using Pantegana backdoor and exploited vulnerabilities in Cisco, Palo Alto, Ivanti devices.
Impact: Espionage, data exfiltration since July 2024.
Mitigation: Patch edge devices, monitor OWA portals.
Source: SecurityWeek

RTX confirms ransomware disrupted airport check-in systems worldwide

Collins Aerospace’s MUSE software outage caused flight delays after HardBit ransomware attack. A UK suspect was arrested but released on bail.
Source: SecurityWeek

PyPI warns of ongoing phishing attacks impersonating mirror site

Attackers spoofed pypi-mirror.org to steal credentials via fake “account verification” emails. Campaign mirrors recent npm phishing attacks.
Impact: Credential theft leading to supply chain compromises.
Mitigation: Enable MFA, verify email sources, rotate exposed credentials.
Source: SecurityWeek

Volvo Group employee data stolen in third-party ransomware attack

Miljödata breach exposed SSNs and names of Volvo Group NA staff via compromised HR systems. DataCarry ransomware claimed the attack.
Impact: 870K+ records leaked, including sensitive employee data.
Mitigation: Monitor identity theft, enroll in credit monitoring.
Source: SecurityWeek

OnePlus flaw lets apps read SMS without permission

CVE-2025-10184 (CVSS 8.2) in OxygenOS 12+ allows unauthorized access to SMS/MMS data via SQL injection in Telephony provider.
Impact: Theft of MFA codes and sensitive messages.
Mitigation: Await patch, restrict app permissions.
Source: The Hacker News

Vane Viper malvertising network generates 1T+ DNS queries

Infoblox exposed 60K domains pushing malware via compromised WordPress sites. Linked to Cyprus-based AdTech Holding and PropellerAds.
Impact: Distributed malware, ad fraud, and phishing at scale.
Mitigation: Block malicious domains, disable unwanted push notifications.
Source: The Hacker News

DDoS attacks surge 41%, tech sector overtakes gaming as top target

Gcore reported 2.2 Tbps peaks and rising application-layer attacks (38% of total). Financial services and hosting providers heavily targeted.
Impact: Service disruption, increased mitigation costs.
Mitigation: Deploy WAAP, geo-based filtering, and capacity scaling.
Source: The Hacker News

Share this brief: https://svo.bz/Aj5q