svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief November 27, 2025

Private VPN — just $1.2/mo

New ShadowV2 IoT Botnet Exploiting Known Vulnerabilities

A new Mirai-based botnet malware named ShadowV2 has been targeting IoT devices from D-Link, TP-Link, and others using eight known vulnerabilities, including unpatched flaws in end-of-life D-Link routers. The botnet was active during the AWS outage in October, suggesting a test run.

Impact: Targets government, tech, manufacturing, and MSSP sectors globally via DDoS attacks.
Mitigation: Update firmware, disable internet-exposed services, and monitor for IoCs.

Source: BleepingComputer

Qilin Ransomware Hits South Korean Financial Sector

A supply chain attack via a compromised MSP led to the deployment of Qilin ransomware across 28 South Korean financial firms, exfiltrating 2TB of data. The attackers framed the leaks as exposing corruption, blending financial and political motives.

Impact: Extortion targeting financial stability, potential North Korean (Moonstone Sleet) involvement.
Mitigation: Enforce MFA, segment networks, and audit third-party vendors.

Source: The Hacker News

Shai-Hulud v2 Campaign Spreads to Maven, Stealing Secrets

The Shai-Hulud v2 supply chain attack has expanded from npm to Maven Central, compromising over 830 packages. The malware steals API keys, cloud credentials, and GitHub tokens, using stolen tokens to exfiltrate data via GitHub workflows.

Impact: Over 28,000 repositories affected, 11,858 secrets leaked (2,298 still valid).
Mitigation: Rotate exposed tokens, audit dependencies, and enforce CI/CD least-privilege access.

Source: The Hacker News

Critical Auth Bypass in ASUS Routers with AiCloud

ASUS patched a critical authentication bypass flaw (CVE-2025-59366) in routers with AiCloud enabled, allowing unauthenticated command injection. The flaw resembles earlier exploited vulnerabilities tied to Chinese-linked campaigns.

Impact: Full device compromise, potential botnet recruitment.
Mitigation: Update firmware, disable WAN-facing services, and use strong passwords.

Source: BleepingComputer

RomCom Hackers Abuse SocGholish to Deliver Mythic Agent

Russian-backed RomCom used SocGholish fake updates to deploy Mythic Agent on a US civil engineering firm linked to a Ukrainian sister city. The attack chain included a Python backdoor and DLL loader.

Impact: Espionage targeting Ukraine-affiliated entities.
Mitigation: Block SocGholish domains, monitor for suspicious PowerShell/Python activity.

Source: The Hacker News

Ransomware Disrupts US Emergency Alert Systems

The Inc Ransom group attacked OnSolve CodeRED, a critical emergency alert system, stealing user data and disrupting services nationwide. Negotiations failed after a $100k ransom offer.

Impact: Delayed emergency notifications, leaked PII (emails, phone numbers).
Mitigation: Reset legacy platform passwords, migrate to updated systems.

Source: SecurityWeek

Node-Forge Library Fixes High-Severity Signature Bypass

A high-severity flaw (CVE-2025-12816) in the node-forge library allowed malformed ASN.1 data to bypass signature checks. The library has 26M weekly downloads, raising widespread risks.

Impact: Authentication bypass, code execution in dependent apps.
Mitigation: Update to node-forge v1.3.2.

Source: BleepingComputer

London Councils Hit by Cyberattack, Shared IT Compromised

Three London councils (RBKC, WCC, LBHF) faced IT disruptions due to a cyberattack on shared infrastructure, forcing emergency service plans. No ransomware group has claimed responsibility yet.

Impact: Disabled phone lines, delayed critical services for 360,000 residents.

Source: BleepingComputer

Comcast Fined $1.5M for Vendor Breach Affecting 270K Customers

A debt collector (FBCS) breach exposed Comcast customer data (SSNs, account details) months after the vendor was compromised. Comcast denied wrongdoing but agreed to enhanced oversight.

Impact: 273K customers affected; delayed breach notification (5 months).

Source: BleepingComputer

Chrome Extension Siphons Solana Funds via Hidden Transfers

The Crypto Copilot extension injected unauthorized 0.05% fees into Raydium swaps, sending SOL to an attacker-controlled wallet. The extension remains on the Chrome Web Store.

Impact: Silent theft of cryptocurrency during swaps.
Mitigation: Uninstall the extension, audit wallet transactions.

Source: The Hacker News

Share this brief: https://svo.bz/xTBS

If you want to support us, you can donate here: Donate