svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief November 28, 2025

Private VPN — just $1.2/mo

OpenAI API Customer Data Breach via Third-Party Vendor

OpenAI disclosed a data breach involving customer information exposed through a hack of analytics vendor Mixpanel. The exposed data includes names, email addresses, approximate locations, OS/browser details, and organization/user IDs from OpenAI’s API platform. No credentials, payment info, or API usage data was compromised.
Impact: Potential phishing/social engineering risks.
Mitigation: OpenAI removed Mixpanel integration and is notifying affected users.
Source: BleepingComputer

Bloody Wolf Expands NetSupport RAT Attacks in Central Asia

The threat actor Bloody Wolf is targeting Kyrgyzstan and Uzbekistan with phishing campaigns impersonating government ministries, delivering malicious Java archives (JARs) to deploy NetSupport RAT. The attacks exploit social engineering and geofencing (restricting payloads to Uzbek IPs).
Impact: Targets finance, government, and IT sectors.
Mitigation: Monitor for phishing PDFs/JARs and restrict Java execution.
Source: The Hacker News

Asahi Ransomware Attack Exposes 2 Million Individuals

Asahi Group confirmed Qilin ransomware stole personal data of 2 million individuals, including employees and customers. Compromised data includes names, addresses, phone numbers, and email addresses. Systems remain partially disrupted since the September attack.
Impact: Operational disruption and identity theft risks.
Mitigation: Phased system restoration with enhanced security controls.
Source: SecurityWeek

Microsoft Entra ID to Block Unauthorized Scripts in 2026

Microsoft announced Content Security Policy (CSP) updates for Entra ID logins, blocking unauthorized scripts to prevent XSS attacks. Only scripts from trusted Microsoft CDNs will execute during authentication.
Impact: Reduced risk of credential theft via script injection.
Mitigation: Test sign-in flows and avoid code-injecting browser extensions.
Source: The Hacker News

ShadowV2 Botnet Exploits IoT Vulnerabilities for DDoS Attacks

The Mirai-based ShadowV2 botnet is actively targeting IoT devices via CVE-2024-3721 (TBK), CVE-2024-53375 (TP-Link), and other flaws. Another botnet, RondoDox, is similarly exploiting IoT vulnerabilities.
Impact: Recruitment of devices for large-scale DDoS campaigns.
Mitigation: Patch IoT devices and segment networks.
Source: The Hacker News

Retell AI API Flaw Enables Large-Scale Voice Scams

A flaw in Retell AI’s voice-agent API allows attackers to bypass guardrails, enabling automated phishing calls and misinformation campaigns. The unpatched vulnerability stems from excessive permissions in the LLM.
Impact: Scalable social engineering and data leaks.
Mitigation: Restrict API access until fixes are implemented.
Source: The Hacker News

QuietEnvelope Malware Targets OpenFind Mail Servers

ESET uncovered QuietEnvelope, a stealthy toolset targeting OpenFind MailGates servers via Perl scripts and kernel modules. The malware exfiltrates data via SMTP and HTTP, with suspected ties to a Chinese state-sponsored actor.
Impact: Persistent backdoor access to email infrastructure.
Mitigation: Monitor for suspicious Perl scripts and kernel modules.
Source: The Hacker News

ShinyHunters Linked to Gainsight Data Breach and New RaaS

Gainsight confirmed a Salesforce-integration breach attributed to ShinyHunters, exposing customer data. The group is also developing ShinySp1d3r ransomware, featuring novel evasion techniques like hooking Windows event logs.
Impact: Credential theft and ransomware deployment risks.
Mitigation: Rotate S3 keys and reset SSO integrations.
Source: The Hacker News

NTLM Vulnerabilities Exploited for Credential Theft

Attackers are abusing CVE-2024-43451 and CVE-2025-33073 to leak NTLM hashes for lateral movement and privilege escalation. Targets include financial sectors in Uzbekistan and Russia.
Impact: Credential relay attacks and network compromise.
Mitigation: Disable NTLM where possible and enforce SMB signing.
Source: The Hacker News

Smishing Triad Targets Egypt with Financial Phishing Kit

The Smishing Triad is impersonating Egyptian services like Fawry and Egypt Post using the Panda phishing kit. The group leverages compromised domains and Telegram for distribution.
Impact: Large-scale smishing campaigns harvesting PII.
Mitigation: Block suspicious domains and educate users.
Source: The Hacker News

Share this brief: https://svo.bz/Omoc

If you want to support us, you can donate here: Donate