svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief November 20, 2025

Private VPN — just $1.2/mo

PowerSchool cyber attack exposes student data across Canada

The Ontario Information and Privacy Commissioner released a report on the December 2024 PowerSchool breach affecting millions, revealing the company paid a ransom. The investigation found lack of multi-factor authentication, inadequate breach response plans, and excessive remote access privileges for support personnel.
Source: DataBreaches

Google sues Lighthouse Phishing-as-a-Service platform

Google filed a lawsuit against Lighthouse operators for distributing phishing kits impersonating brands like USPS and Google. The complaint alleges the service facilitated credential and credit card theft globally.
Source: DataBreaches

Princeton University breach impacts alumni and employees

A November 10 breach exposed donor and engagement data for alumni, students, and staff. No SSNs or financial data was compromised, but names, emails, and fundraising details were accessed.
Source: DataBreaches

UK introduces Cyber Security and Resilience Bill

The bill expands NIS Regulations to cover managed service providers and data centers, increases fines to 4% of global turnover, and grants regulators stronger enforcement powers.
Source: DataBreaches

French childcare service Pajemploi breach affects 1.2M

Attackers stole personal data of caregivers and employers using the URSSAF-linked service. The breach notification did not specify the attack vector.
Source: DataBreaches

Sneaky2FA PhaaS kit adds browser-in-the-browser attacks

The phishing kit now mimics Microsoft login popups with OS/browser-adaptive designs and proxies authentication flows to steal credentials and bypass 2FA.
Impact: Effective against MFA-protected accounts.
Mitigation: Train users to verify popup authenticity by dragging windows or checking taskbar entries.
Source: BleepingComputer

W3 Total Cache WordPress plugin RCE vulnerability

CVE-2025-9501 allows unauthenticated PHP command injection via malicious comments in cached content. Patched in v2.8.13, but ~400k sites may remain vulnerable.
Impact: Full server compromise possible.
Mitigation: Update immediately or disable comments/plugin.
Source: BleepingComputer

US sanctions Russian bulletproof hosting provider Media Land

The provider supported LockBit, BlackSuit, and Play ransomware operations. Three executives were also sanctioned, with infrastructure linked to DDoS attacks on US telecoms.
Source: BleepingComputer

WrtHug campaign hijacks 50,000 ASUS routers

Exploiting 6 vulnerabilities (CVE-2023-39780, CVE-2025-2492 etc.), attackers deployed 100-year TLS certificates on routers, primarily in Taiwan, Russia, and the US.
Impact: Potential ORB network for Chinese-linked threat actors.
Mitigation: Replace EoL devices or disable AiCloud.
Source: BleepingComputer

Fortinet discloses second FortiWeb zero-day in a week

CVE-2025-58034 allows authenticated RCE via HTTP/CLI commands, following CVE-2025-64446 patched silently in October. CISA mandates federal patching within 7 days.
Impact: Critical infrastructure at risk.
Mitigation: Upgrade to FortiWeb 8.0.2/7.6.6 immediately.
Source: SecurityWeek

ShinySp1d3r RaaS emerges from Scattered Spider/ShinyHunters

The new ransomware uses ChaCha20+RSA encryption, process hollowing, and network propagation via WMI/GPO. Features include wipe.tmp free-space overwriting and dynamic extension generation.
Source: BleepingComputer

PlushDaemon hijacks software updates with EdgeStepper

The China-linked group compromised routers to redirect update traffic (e.g., Sogou Pinyin) and deploy SlowStepper backdoor. Targets include automotive and semiconductor sectors.
Impact: Global supply chain compromise risk.
Mitigation: Secure edge devices and monitor DNS anomalies.
Source: BleepingComputer

7-Zip CVE-2025-11001 exploited in wild

The symbolic link RCE flaw affects versions before 25.00, allowing directory traversal via malicious ZIP files. NHS England confirmed active exploitation.
Impact: Service account compromise.
Mitigation: Upgrade to 7-Zip 25+.
Source: TheHackerNews

WhatsApp worm spreads Eternidade Stealer in Brazil

A Python script hijacks WhatsApp Web to send malicious MSI installers containing AutoIt-based banking trojan. Targets financial and crypto apps like MercadoPago and Binance.
Source: TheHackerNews

Microsoft mitigates 15.7 Tbps Azure DDoS attack

The October 24 attack by Aisuru botnet (500k+ IPs) targeted an Australian endpoint with UDP floods. Similar to Cloudflare’s 22 Tbps record attack payload.
Source: SecurityWeek

Iran-linked cyber-kinetic attacks documented

Amazon revealed Imperial Kitten hacked ship AIS systems before Houthi missile strikes (2024) and MuddyWater accessed Jerusalem CCTV ahead of June 2025 attacks.
Source: SecurityWeek

Ray AI framework flaw fuels cryptojacking campaign

CVE-2023-48022 (unauthenticated RCE) is exploited to build a self-propagating botnet stealing GPU resources and data. Attackers used GitLab CI/CD for payload updates.
Impact: 230k+ exposed clusters vulnerable.
Mitigation: Isolate Ray clusters or disable Jobs API.
Source: SecurityWeek

Share this brief: https://svo.bz/zUuF

If you want to support us, you can donate here: Donate