Svoboda Cybersecurity Brief October 11, 2025

Aisuru Botnet Launches Record 30 Tbps DDoS Attacks

The Aisuru botnet, leveraging 300,000 compromised IoT devices (routers, cameras, DVRs), has executed a 30 Tbps DDoS attack—the largest recorded. U.S. ISPs (AT&T, Comcast, Verizon) host most infected devices, complicating mitigation due to collateral congestion. The botnet uses Mirai-like tactics, including zero-day exploits (e.g., Totolink router firmware hijack) and residential proxy services.
Impact: Disrupts gaming servers (e.g., TCPShield) and ISP networks, risking widespread outages.
Mitigation: Patch IoT devices, enforce outbound traffic filtering, and monitor for unusual bandwidth usage.
Source: KrebsOnSecurity

Oracle EBS Zero-Day Exploited by Cl0p-Linked Actors

A zero-day (CVE-2025-61882, CVSS 9.8) in Oracle EBS was exploited since August 9, 2025, to steal data from dozens of organizations. Attackers combined SSRF, CRLF injection, and XSL template attacks to deploy multi-stage malware (GoldVein.Java, SageWave). Extortion emails mimic Cl0p ransomware tactics but show ties to FIN11.
Impact: Data exfiltration from HR/payment systems; potential mass extortion.
Mitigation: Apply Oracle’s July 2025 patches, restrict EBS admin console access.
Source: The Hacker News

FBI Seizes BreachForums Portal Amid Salesforce Extortion

The FBI seized BreachForums.hn, a portal used by Scattered LAPSUS$ Hunters to extort Salesforce breach victims (e.g., FedEx, Disney). ShinyHunters confirmed law enforcement accessed forum backups since 2023 but vowed to leak data on October 10. The group claims to hold 1B+ records.
Impact: Extortion risk for high-profile companies; potential data leaks.
Mitigation: Monitor dark web for exfiltrated data, enforce MFA.
Source: BleepingComputer

Watsonville Hospital Suffers Dual Breaches, Silent on Details

Watsonville Community Hospital experienced two breaches: one by Termite (Nov 2024, patient data leaked) and another by Sinobi (Aug 2025, 13 GB encrypted). The hospital failed to notify HHS or California AG, while employees faced tax fraud.
Impact: Exposure of SSNs, diagnoses; potential HIPAA violations.
Mitigation: Audit third-party vendors, enforce breach disclosure protocols.
Source: DataBreaches

Gladinet Zero-Day Exploited for RCE (CVE-2025-11371)

A Local File Inclusion (LFI) flaw in Gladinet CentreStack/Triofox (all versions ≤16.7.10368.56560) allows unauthenticated attackers to read system files and chain with CVE-2025-30406 for RCE via ViewState deserialization.
Impact: Full system compromise.
Mitigation: Disable the temp handler in Web.config; await patch.
Source: BleepingComputer

Stealit Malware Abuses Node.js SEA Feature

Stealit malware uses Node.js’s Single Executable Application (SEA) feature to disguise as game/VPN installers. It drops executables (save_data.exe, stats_db.exe) to steal browser data, crypto wallets, and enable RAT capabilities.
Impact: Credential theft, persistent access.
Mitigation: Scan for malicious npm packages, block unpkg.com CDN abuse.
Source: The Hacker News

Storm-2657 Hijacks HR SaaS to Divert Salaries

The Payroll Pirates campaign targets Workday via AitM phishing, modifies payroll details to attacker-controlled accounts, and deletes alerts. Uses compromised university emails (11 accounts, 6,000 targets).
Impact: Financial fraud, insider threat escalation.
Mitigation: Enforce FIDO2 MFA, monitor inbox rules.
Source: The Hacker News

Apple Boosts Bug Bounty to $2M for Zero-Click RCE

Apple’s bug bounty now offers $2M for zero-click RCE (up to $5M with bonuses). New “Target Flags” streamline vulnerability validation. Over $35M paid to 800 researchers since 2020.
Source: SecurityWeek

RondoDox Botnet Exploits 50+ IoT Vulnerabilities

The RondoDox botnet targets 30+ vendors (TP-Link, TBK DVRs) via 56 vulnerabilities (18 unpatched). Co-distributes Mirai payloads for DDoS/mining.
Impact: Network compromise, cryptojacking.
Mitigation: Patch CVE-2023-1389, CVE-2024-3721.
Source: SecurityWeek

npm Hosts 175 Malicious Packages in Phishing Campaign

Beamglea campaign uses 175 npm packages to host redirect scripts (e.g., beamglea.js) for Microsoft credential phishing. Downloads exceed 26,000, masquerading as invoices/docs.
Impact: Credential theft via trusted CDNs.
Mitigation: Audit npm dependencies, block unpkg.com for sensitive workflows.
Source: The HackerNews

Share this brief: https://svo.bz/3Psw