Svoboda Cybersecurity Brief November 21, 2025
WhatsApp Enumeration Flaw Exposes 3.5 Billion Accounts
Researchers exploited a flaw in WhatsApp’s phone number lookup feature, allowing them to scrape data (phone numbers, profile pictures, and ‘about’ text) from 3.5 billion accounts at a rate of 100M/hour. Meta has since mitigated the issue.
Impact: Mass data exposure of user metadata.
Mitigation: Implement rate limiting and stricter access controls.
Source: The Register
ShinyHunters Breach Salesforce Customers via Gainsight App
ShinyHunters exploited Gainsight apps linked to Salesforce, gaining unauthorized access to data from 285 companies, including Verizon, GitLab, and SonicWall. Salesforce revoked tokens and removed affected apps from AppExchange.
Impact: Unauthorized access to sensitive corporate data.
Mitigation: Revoke compromised tokens, audit third-party app permissions.
Source: DataBreaches.net
Qilin Ransomware Hits UK IVF Clinics, Exposing Patient Data
Russian group Qilin breached the London Women’s Clinic, compromising sensitive reproductive health data of NHS patients. The attack occurred on October 19, 2025, with data later leaked on dark web forums.
Impact: Exposure of highly sensitive medical records.
Mitigation: Isolate affected systems, enforce MFA, and monitor dark web for leaks.
Source: DataBreaches.net
APT24 Deploys BadAudio Malware in 3-Year Espionage Campaign
China-linked APT24 used BadAudio malware delivered via fake updates, supply-chain compromises, and phishing. The malware employs DLL sideloading and Cobalt Strike Beacon for persistence.
Impact: Long-term espionage targeting governments and enterprises.
Mitigation: Block malicious domains, monitor for unusual process behavior.
Source: BleepingComputer
50,000 ASUS Routers Compromised in Chinese Spy Operation
Operation WrtHug exploited 7 vulnerabilities (e.g., CVE-2024-12912) in ASUS routers, installing a 100-year TLS certificate for persistence. Most victims are in Taiwan and the US.
Impact: Creation of a botnet for espionage.
Mitigation: Patch routers or replace outdated models.
Source: SecurityWeek
Sturnus Android Trojan Steals Encrypted WhatsApp/Signal Chats
Sturnus abuses accessibility services to capture messages post-decryption, alongside banking overlays and VNC-based device control. Targets European banks.
Impact: Bypasses E2E encryption, enables financial fraud.
Mitigation: Avoid sideloading APKs, disable unnecessary permissions.
Source: The Hacker News
Russian Bulletproof Hosting Provider Sanctioned for Ransomware Ties
Media Land and ML Cloud were sanctioned by the US, UK, and Australia for supporting LockBit, BlackSuit, and Play ransomware. The firms facilitated DDoS attacks and data theft.
Impact: Enabled global ransomware campaigns.
Mitigation: Block associated IPs/ASNs, monitor for C2 traffic.
Source: SecurityWeek
SonicWall Patches Critical SSLVPN DoS Vulnerability (CVE-2025-40601)
A stack-based buffer overflow in SonicWall SSLVPN (Gen7/Gen8 firewalls) allows unauthenticated attackers to crash devices. No active exploits detected yet.
Impact: Service disruption for VPN users.
Mitigation: Update to SonicOS 7.3.1-7013 or 8.0.3-8011.
Source: BleepingComputer
D-Link DIR-878 Router Vulnerabilities Expose Users to RCE
Three RCE flaws (e.g., CVE-2025-60672) affect end-of-life D-Link routers. Public exploits exist, increasing botnet recruitment risk.
Impact: Full device compromise.
Mitigation: Replace unsupported hardware.
Source: BleepingComputer
ShadowRay 2.0 Exploits Unpatched Ray AI Framework for Crypto Mining
Attackers abuse CVE-2023-48022 in Ray AI to hijack NVIDIA GPUs for Monero mining via XMRig. Over 230,500 servers exposed.
Impact: Resource hijacking, DDoS capabilities.
Mitigation: Isolate Ray clusters, use Open Ports Checker tool.
Source: The Hacker News
Tsundere Botnet Uses Ethereum for C2 Resilience
The Tsundere botnet propagates via game-themed lures (e.g., Valorant) and uses Ethereum smart contracts to dynamically update C2 servers.
Impact: Distributed malware deployment.
Mitigation: Block malicious npm packages, monitor for suspicious Node.js activity.
Source: The Hacker News
Share this brief: https://svo.bz/NBhs
If you want to support us, you can donate here: Donate