Svoboda Cybersecurity Brief October 14, 2025

Software Vendor Exposes Confidential Court Records for Months

Software Unlimited Corp, a case management software vendor, has left sensitive court records exposed online for months despite repeated notifications. The unsecured shares contained confidential and sealed records, including juvenile case files and attorney-client communications. Researchers, Mandiant, and the FBI attempted to alert the vendor, but the data remains accessible.
Source: DataBreaches.net

SimonMed Imaging Breach Impacts 1.2M Patients via Medusa Ransomware

SimonMed Imaging disclosed a ransomware attack by the Medusa group, exposing 1.2 million patients’ data, including SSNs, medical records, and financial details. The breach occurred between January 21 and February 5, 2025, with Medusa demanding a $1M ransom. The vendor has since reset passwords and added endpoint monitoring.
Source: BleepingComputer

Oracle Patches EBS Zero-Day Exploited by Clop Ransomware Group

Oracle released an emergency patch for CVE-2025-61884, a high-severity flaw in E-Business Suite (EBS) allowing unauthorized access to sensitive data. The vulnerability follows CVE-2025-61882, exploited by Clop/FIN11 in a widespread extortion campaign targeting executives.
Impact: Remote data theft without authentication.
Mitigation: Apply Oracle’s out-of-band patch immediately.
Source: SecurityWeek

Microsoft Restricts IE Mode in Edge After Zero-Day Exploits

Microsoft disabled easy access to IE mode in Edge after attackers exploited unpatched Chakra engine flaws to achieve RCE and privilege escalation. The fix requires manual site-by-site approval for IE mode, reducing attack surface. Enterprise policies remain unaffected.
Impact: Browser escape and full device compromise.
Mitigation: Update Edge and restrict IE mode usage.
Source: BleepingComputer

SonicWall VPN Accounts Targeted in Credential-Stuffing Campaign

Over 100 SonicWall SSL VPN accounts were breached using stolen credentials, with attackers conducting network scans and lateral movement attempts. The campaign, unrelated to SonicWall’s recent cloud backup breach, originated from IP 202.155.8[.]73.
Impact: Unauthorized network access.
Mitigation: Rotate credentials, enforce MFA, and restrict WAN management.
Source: SecurityWeek

Multi-Country Botnet Targets US RDP Services with 100K IPs

A botnet spanning 100+ countries is targeting US RDP services via timing attacks and login enumeration. GreyNoise observed traffic spikes from Brazil, Iran, China, and Russia, with TCP fingerprint clustering suggesting centralized control.
Impact: Credential theft and brute-force attacks.
Mitigation: Block malicious IPs, enforce VPN+MFA for RDP.
Source: BleepingComputer

RondoDox Botnet Expands Exploit Arsenal to 50+ CVEs

The RondoDox botnet now exploits 56 vulnerabilities across 30+ vendors (D-Link, NETGEAR, Cisco) to infect routers, DVRs, and IoT devices. Trend Micro observed co-packaging with Mirai/Morte payloads, enhancing evasion.
Impact: DDoS and device hijacking.
Mitigation: Patch affected devices and monitor for suspicious traffic.
Source: The Hacker News

Astaroth Banking Trojan Uses GitHub for Resilient C2

The Astaroth trojan abuses GitHub repositories to host malware configs, enabling recovery after C2 takedowns. Targets include Brazilian banks and crypto platforms, with anti-analysis checks for debuggers like IDA Pro.
Impact: Credential theft via keylogging.
Mitigation: Block suspicious AutoIt scripts and monitor GitHub-linked traffic.
Source: The Hacker News

Spanish Authorities Dismantle GXC Team Phishing Operation

Spanish police arrested the alleged leader of GXC Team, a CaaS operation selling phishing kits and Android malware. The group targeted banks and e-commerce firms in the US, UK, and Brazil, causing millions in losses.
Source: SecurityWeek

NPM Packages Abused in Phishing Campaign Targeting Industrial Firms

Threat actors uploaded 175+ malicious npm packages (e.g., redirect-xxxxxx) to host phishing pages via unpkg.com CDN. The campaign targeted energy and tech firms with fake purchase orders.
Impact: Credential harvesting via spoofed login pages.
Mitigation: Audit third-party scripts and enforce SRI.
Source: SecurityWeek

Share this brief: https://svo.bz/O9cX