Svoboda Cybersecurity Brief December 24, 2025

CEO sentenced for $1B healthcare fraud conspiracy

Gary Cox, CEO of Power Mobility Doctor Rx, was sentenced to 15 years for orchestrating a Medicare fraud scheme using fake telemedicine orders. The scheme involved $1B in fraudulent claims and $360M paid out by Medicare. Cox’s platform generated false doctors’ orders for unnecessary medical equipment.
Source: DataBreaches.net

DOJ seizes stolen-password database linked to $14.6M bank fraud

The domain web3adspanels.org, used to store stolen bank credentials for account takeovers, was seized. Attackers impersonated bank ads on Google/Bing to redirect victims to phishing sites. The scheme caused $14.6M in losses across 19 victims.
Source: DataBreaches.net

WebRAT malware spreads via fake GitHub exploit repositories

Threat actors uploaded 15 GitHub repos pretending to offer PoC exploits for vulnerabilities like CVE-2025-59295 (Windows MSHTML flaw). Victims downloading the malicious ZIP files executed a dropper (rasmanesc.exe) that deployed WebRAT for credential theft and webcam spying.
Impact: Arbitrary code execution, data theft.
Mitigation: Verify repo legitimacy, use isolated environments for testing.
Source: BleepingComputer

Chrome extensions “Phantom Shuttle” steal credentials from 170+ sites

Two malicious extensions (fbfldogmkadejddihifklefknmikncaj, ocpcmfmiidofonkbodpdhgddhlcmcofd) hijack traffic via attacker-controlled proxies. They target high-value domains (GitHub, AWS, social media) and exfiltrate credentials through a hardcoded RSA key. Over 2,000 users affected.
Impact: Credential theft, MITM attacks.
Mitigation: Remove extensions, audit installed plugins.
Source: The Hacker News

Critical n8n flaw (CVE-2025-68613) allows RCE with CVSS 9.9

A vulnerability in n8n workflow automation (versions 0.211.0 to 1.120.3) enables arbitrary code execution via insufficient isolation of user-supplied expressions. Over 100,000 instances potentially exposed globally.
Impact: Full system compromise.
Mitigation: Upgrade to v1.120.4+ or restrict workflow permissions.
Source: The Hacker News

INTERPOL arrests 574 in African cybercrime crackdown

Operation Sentinel dismantled BEC and ransomware networks across 19 countries, recovering $3M and decrypting 6 ransomware variants. Notable cases include a Ghanaian bank attack ($120K stolen) and a Senegal BEC attempt ($7.9M intercepted).
Source: The Hacker News

French postal services hit by DDoS attack during holiday rush

La Poste and its banking arm suffered a major outage, disrupting package tracking and online payments. Attackers used DDoS to overwhelm systems, though OT infrastructure remained operational. No data breach confirmed.
Source: BleepingComputer

Baker University discloses breach affecting 53,624 individuals

Attackers accessed systems in December 2024, stealing names, SSNs, financial/medical data. The university rebuilt compromised platforms but provided no details on attacker identity or ransom demands.
Source: BleepingComputer

NPM package “Lotusbail” hijacks WhatsApp accounts

The malicious library (56,000+ downloads) intercepts auth tokens and messages, then exfiltrates data via RSA encryption. Attackers also link their devices to victims’ accounts for persistent access.
Impact: Account takeover, data leakage.
Mitigation: Unlink suspicious devices via WhatsApp settings.
Source: SecurityWeek

Romanian water agency hit by ransomware, OT systems unharmed

Attackers compromised 1,000 IT systems (GIS servers, databases) but critical water operations were unaffected. The incident impacted 10 regional offices of Administrația Națională Apele Române.
Source: DataBreaches.net

Share this brief: https://svo.bz/BBgT