svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief October 04, 2025

Private VPN — just $1.2/mo

Scattered LAPSUS$ Hunters Escalate Salesforce Extortion Campaign

The Scattered LAPSUS$ Hunters group launched a new leak site targeting Salesforce and 39 customers, threatening to expose 1 billion+ records unless ransoms are paid by October 10. Samples include data from Disney, Home Depot, Walgreens, and government employees. Compromised data ranges from customer PII to internal employee records, posing phishing and social engineering risks.
Impact: High-risk exposure of sensitive CRM data across major enterprises.
Mitigation: Affected organizations should validate Salesforce instance security, revoke unauthorized OAuth apps, and monitor for credential misuse.
Source: DataBreaches.net

Salesforce Extortion Wave Linked to OAuth Phishing

ShinyHunters-linked “Scattered LAPSUS$ Hunters” leaked samples from 39 companies breached via Salesforce OAuth app phishing. Attackers demand payment to prevent full leaks by October 10. Victims include FedEx, Marriott, and UPS, with stolen data including AWS keys, Snowflake tokens, and customer PII.
Impact: Credential theft, supply chain attacks, and regulatory penalties (e.g., GDPR).
Mitigation: Disconnect suspicious OAuth integrations, enforce MFA, and audit third-party app permissions.
Source: BleepingComputer

Clop Exploits Oracle EBS Vulnerabilities in Extortion Campaign

Oracle links Clop ransomware’s extortion emails to CVE-2025-30745/30746/50107, patched in July 2025, affecting E-Business Suite. Attacks target unpatched systems, mimicking Clop’s past zero-day campaigns (MOVEit, GoAnywhere). Mandiant notes unverified data theft claims.
Impact: Potential financial fraud and data leaks.
Mitigation: Apply Oracle’s July 2025 CPU, isolate EBS instances, and monitor for anomalous HTTP requests.
Source: BleepingComputer

Asahi Group Hit by Ransomware, Factory Operations Disrupted

Japanese beer giant Asahi confirmed ransomware encrypted systems, forcing manual order processing. Attackers exfiltrated data but no group claimed responsibility. Incident limited to Japan, with recovery timeline unclear.
Impact: Production halts, supply chain delays, and potential data exposure.
Mitigation: Isolate compromised systems, review backup integrity, and audit lateral movement.
Source: BleepingComputer

Renault/Dacia UK Warns of Third-Party Data Breach

Renault UK notified customers of a breach at an unnamed supplier, exposing names, addresses, VINs, and contact details. No financial data was leaked. Attackers could use data for phishing or fraud.
Impact: Targeted social engineering attacks against vehicle owners.
Mitigation: Monitor for phishing attempts, enforce credential rotation, and audit third-party access.
Source: BleepingComputer

Signal Rolls Out Quantum-Resistant Encryption Upgrade

Signal introduced SPQR, a post-quantum cryptographic layer using ML-KEM, blending with ECC for hybrid security. Backward-compatible but requires client updates. ProVerif-verified Rust implementation.
Impact: Future-proofs E2E encryption against quantum computing threats.
Source: BleepingComputer

Detour Dog DNS Malware Factory Distributes Strela Stealer

Infoblox tied threat actor Detour Dog to Strela Stealer campaigns using DNS TXT records for C2. Attacks leverage compromised WordPress sites and MikroTik botnets (REM Proxy). Targets include financial and government sectors.
Impact: Credential theft via SVG payloads and persistent backdoors.
Mitigation: Block suspicious DNS queries, patch WordPress vulnerabilities, and monitor for StarFish malware.
Source: The Hacker News

Rhadamanthys Stealer Adds Fingerprinting and Steganography

Version 0.9.2 of Rhadamanthys now collects device fingerprints, hides payloads in PNG/WAV files, and mimics Lumma’s anti-analysis alerts. Sold as MaaS for $299–$499/month.
Impact: Enhanced evasion and data exfiltration capabilities.
Mitigation: Deploy EDR with memory inspection, block unusual PNG/WAV downloads.
Source: The Hacker News

CometJacking Exploits AI Browser to Steal Emails

Attackers use malicious URL parameters in Perplexity’s Comet AI browser to execute commands via base64-encoded exfiltration. Unpatched despite August disclosure.
Impact: Unauthorized access to Gmail/Calendar data without credentials.
Mitigation: Disable Comet’s service integrations pending vendor fixes.
Source: BleepingComputer

CISA Flags Actively Exploited Meteobridge Vulnerability

CVE-2025-4008 (CVSS 8.7) allows unauthenticated RCE via Meteobridge’s /cgi-bin/template.cgi. Smartbedded patched it in v6.2 (May 2025). ~100 devices exposed online.
Impact: Full device compromise via malicious HTTP requests.
Mitigation: Update to Meteobridge 6.2+, restrict web interface access.
Source: SecurityWeek

DrayTek Patches Unauthenticated RCE in Routers

CVE-2025-10547 affects 35 Vigor router models, allowing RCE via crafted HTTP/S requests. Local network access required unless WebUI/SSL-VPN is exposed.
Impact: Device takeover and potential lateral movement.
Mitigation: Apply firmware updates, disable remote management.
Source: SecurityWeek

Red Hat Investigating GitLab Data Theft

Crimson Collective hacked a consulting-team GitLab instance, stealing 570GB of code, CERs, and secrets. Red Hat isolated the instance; no evidence of supply chain compromise.
Impact: Potential customer credential exposure.
Mitigation: Rotate exposed secrets, audit consulting engagements.
Source: SecurityWeek

Share this brief: https://svo.bz/jRti

If you want to support us, you can donate here: Donate