svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief November 14, 2025

Private VPN — just $1.2/mo

Operation Endgame Disrupts Rhadamanthys, VenomRAT, and Elysium Botnet

Law enforcement from 9 countries took down 1,025 servers, seized 20 domains, and arrested a key suspect linked to VenomRAT. The infrastructure involved hundreds of thousands of infected systems and millions of stolen credentials, including access to 100,000 crypto wallets. Rhadamanthys was a leading infostealer, with over 525,000 infections tracked since March 2025.
Source: Europol

Critical WatchGuard Firebox Vulnerability Exploited in Attacks (CVE-2025-9242)

A critical out-of-bounds write flaw in WatchGuard Fireware OS (versions 11.10.2–12.11.3 and 2025.1) allows unauthenticated RCE via IKEv2 VPN. Exploitation attempts were detected, with 54,000+ devices still exposed. The bug abuses improper length checks during IKE handshake.
Impact: Full device compromise, potential network infiltration.
Mitigation: Update to Fireware OS 2025.1.1, 12.11.4, or 12.5.13; rotate local secrets.
Source: CISA

Kraken Ransomware Benchmarks Systems for Optimal Encryption

Kraken ransomware (linked to HelloKitty) performs performance tests before encrypting files, choosing between full or partial encryption based on system speed. Targets Windows, Linux/ESXi, and uses Cloudflared/SSHFS for data exfiltration. Ransom demands reach $1 million in Bitcoin.
Impact: Data encryption, exfiltration, and operational disruption.
Mitigation: Patch SMB vulnerabilities, restrict RDP, monitor for unusual Cloudflared/SSHFS activity.
Source: BleepingComputer

Akira Ransomware Now Targets Nutanix AHV VMs

Akira expanded its Linux encryptor to target Nutanix AHV VM disk files (.qcow2) by exploiting CVE-2024-40766 (SonicWall flaw). Attacks involve deleting backups via Veeam vulnerabilities (CVE-2023-27532/CVE-2024-40711).
Impact: VM encryption, backup destruction, domain admin compromise via NTDS.dit extraction.
Mitigation: Patch SonicWall/Veeam, enforce MFA, segment Nutanix environments.
Source: CISA

IndonesianFoods Worm Floods npm with 67,000+ Fake Packages

A self-replicating worm spams npm with packages named using Indonesian terms (e.g., “fajar-donat9-breki”). The worm auto-publishes new packages every 7 seconds via stolen npm credentials. Some packages abuse the TEA Protocol for crypto farming.
Impact: Registry pollution, supply chain risks, resource exhaustion.
Mitigation: Lock dependency versions, audit npm accounts, monitor for abnormal publishing.
Source: The Hacker News

ImunifyAV RCE Flaw Puts 56M Websites at Risk

A remote code execution vulnerability in ImunifyAV’s AI-bolit scanner (pre-v32.7.4.0) allows attackers to execute arbitrary PHP functions via unvalidated call_user_func_array calls. The flaw is exploitable when forced scans are enabled.
Impact: Server takeover, especially in shared hosting environments.
Mitigation: Update to v32.7.4.0+, whitelist safe functions.
Source: BleepingComputer

Google Sues Chinese SMS Phishing Triad Behind Lighthouse

Google filed a lawsuit against operators of the Lighthouse phishing kit, which spoofs 400+ brands and steals payment data via mobile wallet enrollment. The service has 1M+ victims across 120 countries and uses Telegram for coordination.
Source: KrebsOnSecurity

Fake Chrome Extension “Safery” Steals Ethereum Seed Phrases

The malicious extension (“Safery: Ethereum Wallet”) exfiltrates seed phrases by encoding them into Sui blockchain addresses via microtransactions (0.000001 SUI). Still available on Chrome Web Store as of November 2025.
Impact: Cryptocurrency wallet theft.
Mitigation: Avoid untrusted wallet extensions, monitor for unexpected Sui transactions.
Source: The Hacker News

Washington Post Confirms Oracle EBS Breach Impacting 9,720 Employees

Hackers exploited CVE-2025-61884 (Oracle EBS zero-day) to steal bank details, SSNs, and tax IDs. Clop ransomware group claimed responsibility, with 40+ organizations listed as victims, including Harvard and Hitachi’s GlobalLogic.
Source: BleepingComputer

Uhale Android Photo Frames Ship with Pre-Installed Malware

Rooted Uhale devices (500K+ downloads) automatically download malware (linked to Mezmess/Voi1d) on boot. Vulnerabilities include CVE-2025-58392 (RCE via TrustManager) and CVE-2025-58396 (unauthenticated file uploads).
Impact: Persistent device compromise, data theft.
Mitigation: Avoid non-reputable Android devices, disable SELinux if enabled.
Source: BleepingComputer

Share this brief: https://svo.bz/2RFr

If you want to support us, you can donate here: Donate