Svoboda Cybersecurity Brief October 25, 2025

Critical WSUS Vulnerability Actively Exploited in Attacks

Microsoft released out-of-band updates for CVE-2025-59287, a critical WSUS flaw allowing remote code execution (RCE) with SYSTEM privileges. Exploits were observed hours after PoC release, targeting vulnerable WSUS servers exposed online (~2,500 globally). The flaw stems from unsafe deserialization in WSUS’s legacy serialization mechanism.
Impact: Unauthenticated attackers can execute arbitrary code on vulnerable WSUS servers.
Mitigation: Apply Microsoft’s emergency patches (KB5070881-KB5070887) or disable WSUS Server Role.
Source: BleepingComputer

Scattered Spider Teenagers Charged Over TfL Cyberattack

Two UK teens (Thalha Jubair, 19, and Owen Flowers, 18) appeared in court for hacking Transport for London (TfL), causing 3 months of disruption to Tube services and Oyster payments. Jubair faces additional U.S. charges for 120 intrusions extorting $115M in ransoms. Linked to cybercriminal group Scattered Spider.
Source: DataBreaches.net

ModMed Healthcare Data Breach Followed by Fake Sale Listing

ModMed disclosed a July cyberattack exposing podiatry patient data (SSNs, medical records). Later, attacker “phanes” listed 1,003 records for sale, claiming a second October breach. Sample data confirmed real patient details, but ModMed hasn’t clarified if it’s a new incident.
Source: DataBreaches.net

Self-Spreading GlassWorm Infects VS Code Extensions

A supply-chain worm infected 14 VS Code extensions (~35,800 downloads) via Open VSX/Microsoft Marketplace. Uses Solana blockchain for C2 and hides malicious code with invisible Unicode characters. Harvests npm/GitHub credentials and deploys SOCKS proxies/HVNC.
Impact: Developers’ systems compromised; malware spreads autonomously.
Mitigation: Audit installed extensions, revoke exposed credentials.
Source: The Hacker News

Smishing Triad Operates 194K Malicious Domains

China-linked Smishing Triad runs a global phishing operation via 194,000 domains (68% registered via Hong Kong’s Dominet). Targets toll services, USPS, and banks, earning $1B+ since 2022. Uses U.S. cloud hosting (Cloudflare) for resilience.
Source: The Hacker News

YouTube Ghost Network Distributes Stealer Malware

3,000+ malicious YouTube videos promoted pirated software/Roblox cheats, infecting users with Lumma, Rhadamanthys stealers. Hijacked accounts (“Video/Post/Interact” roles) tripled since 2024. Google removed most videos post-disclosure.
Source: The Hacker News

Lazarus Targets European Drone Firms Via Fake Job Offers

North Korea’s Lazarus Group attacked EU defense firms (UAV tech) using trojanized PDF readers delivering ScoringMathTea RAT. Likely seeks drone IP for domestic production/reverse engineering.
Source: SecurityWeek

Toys “R” Us Canada Confirms Customer Data Leak

Customer data (names, emails, addresses) leaked on “unindexed internet” post-July breach. No financial data compromised. No ransomware group claimed responsibility.
Source: SecurityWeek

WordPress Plugins Mass-Exploited for RCE

Attackers targeted GutenKit (CVE-2024-9234) and Hunk Companion (CVE-2024-9707/CVE-2024-11972) flaws to install malicious plugins. 8.7M attacks blocked in 2 days.
Impact: Remote code execution via outdated plugins.
Mitigation: Update to Gutenkit 2.1.1+/Hunk Companion 1.9.0+.
Source: BleepingComputer

Fake LastPass Inheritance Emails Steal Master Passwords

CryptoChameleon group sent phishing emails mimicking LastPass’s inheritance feature, luring users to fake login pages. Campaign expanded to target passkeys.
Source: BleepingComputer

Share this brief: https://svo.bz/Cl5x