svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief December 10, 2025

Private VPN — just $1.2/mo

North Korean Hackers Exploit React2Shell for EtherRAT Malware

North Korean threat actors are exploiting the React2Shell vulnerability (CVE-2025-55182) to deploy EtherRAT, a sophisticated malware using Ethereum smart contracts for C2, multi-layered Linux persistence, and Node.js runtime. The campaign overlaps with the Contagious Interview operation, targeting blockchain developers via fake job offers.
Impact: Remote code execution, persistent access, and data exfiltration.
Mitigation: Upgrade React/Next.js versions, monitor Ethereum RPC traffic, and rotate credentials.
Source: The Hacker News

Trumbull County Breach: Anubis Ransomware Exposes 350GB of Data

Despite denials, Anubis ransomware leaked 350GB of Trumbull County (Ohio) data, including sensitive employee information. Attackers claim they remained in the network during audits, mocking county officials for false security assurances.
Source: DataBreaches.net

Fortinet Warns of Critical SAML Auth Bypass Flaws

Fortinet patched CVE-2025-59718 and CVE-2025-59719, critical SAML authentication bypass flaws in FortiOS, FortiProxy, and FortiSwitchManager. Exploits require crafted SAML messages to bypass FortiCloud SSO.
Impact: Unauthorized access to sensitive systems.
Mitigation: Disable FortiCloud SSO if enabled or upgrade to patched versions.
Source: BleepingComputer

SAP Fixes Three Critical Vulnerabilities

SAP addressed 14 flaws, including CVE-2025-42880 (code injection in Solution Manager, CVSS 9.9), CVE-2025-55754 (Apache Tomcat issues in Commerce Cloud, CVSS 9.6), and CVE-2025-42928 (deserialization in jConnect, CVSS 9.1).
Impact: Full system compromise via RCE.
Mitigation: Apply SAP Security Notes December 2025.
Source: BleepingComputer

US Offers $10M Bounty for Iranian Hackers

The US government announced a $10M reward for information on Shahid Shushtari (Emennet Pasargad), an IRGC-linked group targeting critical infrastructure and elections.
Source: SecurityWeek

Storm-0249 Abuses EDR for Ransomware Attacks

The initial access broker Storm-0249 now abuses SentinelOne EDR via DLL sideloading to deploy ransomware. Tactics include fileless PowerShell execution and stealing MachineGuid for encryption key binding.
Impact: Bypasses detection, enables ransomware deployment.
Mitigation: Monitor trusted processes loading unsigned DLLs, restrict LoLBin execution.
Source: The Hacker News

Ransomware Gangs Adopt Shanya EXE Packer

Groups like Akira, Medusa, and Qilin use Shanya packer-as-a-service to obfuscate EDR-killers. The service encrypts payloads in memory, evading disk-based detection.
Impact: Evades AV, delivers ransomware/stealers.
Mitigation: Behavior-based detection for abnormal process injections.
Source: BleepingComputer

Microsoft Patches 57 Vulnerabilities, Including Zero-Day

December’s Patch Tuesday fixed CVE-2025-62221 (exploited Cloud Files driver flaw) and critical Office RCE bugs (CVE-2025-62554, CVE-2025-62557).
Impact: Privilege escalation, RCE via malicious emails.
Mitigation: Apply KB5074204 and Office updates.
Source: KrebsOnSecurity

Spain Arrests Teen for Stealing 64M Records

A 19-year-old hacker was arrested in Barcelona for stealing 64M records from 9 companies via breached HR platforms like Indeed. Data included DNI numbers, IBAN codes, and addresses.
Source: BleepingComputer

Google Chrome Adds Protections Against AI Prompt Injection

New User Alignment Critic and Agent Origin Sets in Chrome block indirect prompt injections targeting Gemini AI. Google offers $20K bounties for bypass proofs.
Impact: Prevents data exfiltration via poisoned AI prompts.
Mitigation: Enable Chrome security updates.
Source: The Hacker News

Malicious VS Code Extensions Steal Developer Data

Extensions BigBlack.bitcoin-black and BigBlack.codo-ai (removed by Microsoft) deployed Lightshot.dll to steal clipboard data, WiFi passwords, and browser sessions.
Impact: Credential theft, session hijacking.
Mitigation: Audit installed extensions, monitor suspicious PowerShell activity.
Source: The Hacker News

STAC6565 Targets Canada with QWCrypt Ransomware

The Gold Blade group (aka RedCurl) shifted from espionage to ransomware, using QWCrypt in attacks on Canadian organizations via phishing resumes.
Impact: Data theft, ransomware deployment.
Mitigation: Block suspicious resumes, monitor for RedLoader DLL sideloading.
Source: The Hacker News

South Korea Raids Coupang Over Massive Data Leak

Police raided Coupang after a breach affecting 65% of South Korea’s population. Data was exfiltrated via overseas servers from June–November 2025.
Source: DataBreaches.net

DoD Telecom Contracts to Get Stricter Cyber Rules

The 2026 NDAA mandates enhanced encryption, obfuscation, and monitoring for DoD-provided mobile devices used in national security functions.
Source: DataBreaches.net

FinCEN Reports $2.1B in Ransomware Payments Since 2022

2023 saw a record 1,512 incidents ($1.1B paid), with ALPHV/BlackCat as the top variant. Healthcare, finance, and manufacturing were most targeted.
Source: DataBreaches.net

Adobe Patches 140 Vulnerabilities in ColdFusion, AEM

Critical flaws patched include CVE-2025-61808 (unrestricted file upload in ColdFusion) and CVE-2025-64537 (XSS in AEM).
Impact: RCE, data manipulation.
Mitigation: Apply ColdFusion 2025 Update 5 and AEM 2025.12.
Source: SecurityWeek

GhostSec Claims Cyberattack on Israeli Prison Service

The hacktivist group GhostSec allegedly breached Israel’s Prison Service, leaking data on inmates and staff.
Source: SecurityWeek

Share this brief: https://svo.bz/VaRf

If you want to support us, you can donate here: Donate