Svoboda Cybersecurity Brief October 28, 2025

Plastic Surgery Practice Breach Exposes Sensitive Patient Data

Another plastic surgery practice, Michael R. Schwartz, MD, FACS, suffered a cyberattack compromising patient photos, SSNs, and medical records. Unauthorized access occurred between January 20 and August 26, 2025, with ransomware/extortion suspected based on past incidents involving similar practices. The clinic replaced hardware and enhanced security controls.
Source: DataBreaches.net

Qilin Ransomware Targets Manufacturing Sector with Dual Payloads

Qilin ransomware group averaged 40+ victims/month in 2025, favoring manufacturing (23%) and using BYOVD exploits. Attackers abused tools like Cyberduck for data exfiltration and deployed encryptor_1.exe (lateral movement) and encryptor_2.exe (network share encryption). Linux payloads were executed on Windows via Splashtop Remote.
Impact: Data theft, encryption, and backup sabotage via Veeam credential harvesting.
Mitigation: Patch VPNs, enforce MFA, monitor RMM tool usage.
Source: Talos via DataBreaches.net

WSUS Exploit (CVE-2025-59287) Actively Exploited, CISA Mandates Patch

A critical RCE flaw in Windows Server Update Services (WSUS) allows SYSTEM-level access via exposed ports 8530/8531. CISA ordered federal agencies to patch by November 14 after Huntress observed live exploits delivering .NET/PowerShell payloads.
Impact: Wormable attack vector enabling network-wide compromise.
Mitigation: Apply Microsoft’s out-of-band update or disable WSUS Server role.
Source: BleepingComputer

183M Gmail Credential Leak Misreported as Breach

Google debunked claims of a Gmail breach, clarifying leaked credentials were compiled from past malware/phishing campaigns. Troy Hunt added the dataset to Have I Been Pwned, with 91% duplicates from historical breaches.
Source: BleepingComputer

GCash Denies Dark Web Data Sale Amid NPC Investigation

Philippines’ NPC is investigating alleged sale of GCash user data (KYC details, bank links) on dark web by “Oversleep8351.” GCash claims the dataset doesn’t match its systems.
Source: DataBreaches.net

Italian Spyware Vendor Memento Labs Linked to Chrome Zero-Day

CVE-2025-2783 (Chrome sandbox escape) was exploited in Operation ForumTroll to deploy LeetAgent spyware, later linked to Memento Labs’ Dante tool. Dante shares code with Hacking Team’s RCS and self-destructs if inactive.
Source: BleepingComputer

Ransomware Payments Drop to 23% in Q3 2025

Coveware reports record-low ransom payments, citing improved defenses and targeting of mid-sized firms by Akira/Qilin. Median payment fell to $140K, with 76% of attacks involving data theft.
Source: SecurityWeek

X Forces Security Key Re-Enrollment Ahead of Domain Migration

X (Twitter) requires users with hardware 2FA keys to re-enroll by November 10 due to domain shift from twitter.com to x.com. Unupdated keys will lock accounts.
Source: The Hacker News

ChatGPT Atlas Browser Vulnerable to Prompt Injection via Fake URLs

NeuralTrust found ChatGPT Atlas could execute hidden commands when URLs contain disguised prompts (e.g., “https:/ /my-wesite.com/…”). OpenAI acknowledges prompt injection as an unsolved challenge.
Impact: Phishing, data theft via trusted input bypass.
Mitigation: Validate URLs manually, disable autoparsing.
Source: The Hacker News

Smishing Triad Campaign Uses 194K Domains to Impersonate Services

Chinese-linked Smishing Triad targeted global victims via SMS phishing, impersonating USPS, IRS, and crypto platforms. Domains had short lifespans (82.6% active <2 weeks) to evade detection.
Source: SecurityWeek

Share this brief: https://svo.bz/4ZQI