[InfoSec MASHUP] 06/2025

Welcome to the 2933new members from the last 30 days! This newsletter now has 1,660 subscribers.

Breaches & Security Incidents

💸 Ransomware payments fell by 35% in 2024, dropping to $812.55 million from $1.25 billion in 2023, despite an increase in attacks. This decline is attributed to disruptions of major ransomware groups and improved cybersecurity practices among organizations. Many attackers are now holding onto funds instead of cashing out, likely due to fears of law enforcement scrutiny.

🇬🇧 British engineering company IMI has reported a cybersecurity incident involving unauthorized access to its systems. This comes just days after rival firm Smiths Group disclosed a similar hacking attempt. IMI is working with external experts to investigate the situation and comply with regulations.

🇺🇸 Grubhub has confirmed a data breach that affected the personal information of some customers and drivers. Hackers accessed names, email addresses, phone numbers, and partial payment card details through a third-party service provider. Grubhub has since removed the affected account and is investigating the incident.

🇬🇧 Casio UK's website was infected with a web skimmer that collected visitors' personal and payment information between January 14 and January 24. The skimmer displayed a fake payment form while redirecting users to the legitimate checkout page, making it hard for them to notice the scam. This attack happened because the website's security policy did not prevent the skimmer from being loaded.

➝ More breaches:

• 430,000 Impacted by Data Breaches at New York, Pennsylvania Healthcare Organizations

• Information of 883,000 Stolen in Crippling Attack on Hospital Sisters Health System

Cybercrime, Cyber Espionage, APT’s

🇺🇸 🇨🇳 A former Google engineer, Linwei Ding, is charged with economic espionage for allegedly stealing trade secrets to help China's AI industry — He faces multiple counts of espionage and theft, with a potential prison sentence of up to 15 years for each charge. Ding founded a startup in China and sought to develop technology that would enhance China's computing capabilities.

🇪🇸 Spanish police arrested a suspected hacker in Alicante for carrying out 40 cyberattacks on military and public organizations, including NATO and the US Army. The hacker used aliases to leak and sell stolen data on dark web forums, targeting sensitive information from various agencies. Authorities found multiple computers and cryptocurrency accounts during the arrest, and the suspect could face up to 20 years in prison.

🇨🇦 ⚖️ A Canadian man, Andean Medjedovic, has been charged with stealing $65 million by exploiting vulnerabilities in decentralized finance (DeFI) platforms. He allegedly drained funds from two DeFI protocols and attempted to extort victims for the return of half the stolen assets. If convicted, he could face a total of up to 70 years in prison for his crimes.

🇻🇳 The XE Group, a cybercriminal organization active for over a decade, has shifted from credit card fraud to exploiting zero-day vulnerabilities, threatening global supply chains. They have successfully maintained access to compromised systems for years, demonstrating advanced tactics and patience. Recent findings show their operations have evolved, highlighting a significant change in their strategy.

Government, Politics, and Privacy

🇬🇧 👀 The UK government has secretly ordered Apple to create a backdoor for accessing users' encrypted iCloud data. This demand, made under the Investigatory Powers Act, seeks broad access to all encrypted files rather than specific accounts. As a result, Apple may stop offering its encrypted cloud storage in the UK to protect user privacy.

🇺🇸 Cybersecurity experts are alarmed by Elon Musk's actions with the DOGE team, fearing they may expose sensitive data of federal employees and violate security laws. Concerns center around unauthorized access to crucial government payment systems, which could create vulnerabilities for hackers. Critics warn that this interference could lead to significant failures in federal operations and damage trust in these essential systems.

🇮🇱 🇺🇸 Paragon Solutions, an Israeli spyware maker, confirmed it sells its products to the U.S. government and allied countries. The company claims to have a zero-tolerance policy against targeting journalists and civil society figures, despite allegations that its spyware was used in a hacking campaign against 90 such individuals. Specific details about Paragon's customers and its investigation into these allegations remain unclear.

Partners and Affiliates

Malware & Threats

🦠 Microsoft warns that attackers are using publicly exposed ASP.NET machine keys to inject malware into web applications. These keys, meant to protect data, can be found in online code repositories and have been used in recent attacks to execute malicious code on servers. To prevent such attacks, Microsoft advises developers to securely generate their own keys and avoid using default or publicly available ones.

🚪 A Google-run service for Go developers hosted a backdoored package for over three years — This malicious file used a technique called typosquatting, tricking users into downloading it instead of the legitimate version. Researchers alerted the service twice before the harmful package was finally removed.

🦠 📱 Researchers found malware in several iOS and Android apps on official app stores that can steal cryptocurrency wallet recovery phrases. This malicious software, called Spark, was downloaded over 242,000 times and targets users in various countries. Users are advised to check for these apps and remove them to protect their sensitive information.

🇷🇺 🇺🇦 SmokeLoader: Russian cybercrime groups are exploiting a recently patched vulnerability in the 7-Zip tool to deliver malware, targeting organizations in Ukraine. This flaw allows attackers to bypass Windows security protections and execute harmful code through deceptive phishing emails. Users are advised to update their software and be cautious with email attachments to avoid falling victim to these attacks.

🦠 🇰🇵 North Korean hackers are using fake job interviews to spread malware called FERRET on macOS systems. They pose as recruiters on LinkedIn and trick targets into installing malicious software under the guise of video meeting tools. This campaign has expanded to affect developers, showing a shift in their attack strategies.

🦠 🐋 Malicious actors have uploaded fake DeepSeek AI tools on PyPI to steal sensitive data from developers. The packages, named "deepseeek" and "deepseekai", were quickly identified and removed after 222 developers downloaded them. Affected users should change their API keys and check for any compromised accounts.

🦠 🇧🇷 Coyote malware is targeting Brazilian Windows users and has expanded its reach to 1,030 websites and 73 financial institutions. It can steal sensitive information through keylogging and phishing, using a complex infection process that starts with a malicious shortcut file. This Trojan poses a significant threat to financial security as it can adapt to target more sites and users.

AI, Crypto, Tech & Tools

🤗 Researchers found two machine-learning models on Hugging Face that contained malicious code hidden in "pickle" files, which can execute untrusted Python code. Hugging Face is aware of these risks and has tools to detect such threats, but some models managed to evade detection. The findings highlight ongoing security concerns with pickle files in the AI development community.

🍎 🐋 The DeepSeek iOS app, which recently gained popularity as an AI chatbot, sends sensitive data without encryption to servers owned by ByteDance, the company behind TikTok. This lack of security makes the data vulnerable to interception and tampering. Although some data is encrypted during transmission, it can be linked to users once it reaches ByteDance's servers.

🇨🇳 🐋 Researchers found that the popular Chinese chatbot DeepSeek has code linking it to China Mobile, a state-owned telecom banned from operating in the U.S. This code could potentially send user data to China, raising national security concerns. Experts warn that using DeepSeek might expose sensitive personal and business information to a geopolitical adversary.

🇺🇸 🐋 U.S. lawmakers are proposing a ban on the Chinese AI app DeepSeek from federal devices due to concerns about surveillance and misinformation. The bipartisan bill aims to protect national security, similar to existing restrictions on TikTok. Exceptions will be made for national security research, but the goal is to prevent potential data exploitation by the Chinese government.

🪖 🤖 Google has removed a pledge from its website promising not to develop AI for weapons or surveillance. The change was noticed after an update to its public AI principles page. The company now emphasizes working to avoid harmful outcomes and align with international laws and human rights.

🇪🇺 🤖 The European Union has released guidance on its AI Act, which bans certain high-risk uses of artificial intelligence. Developers must follow these guidelines to avoid penalties, which can reach up to 7% of global revenue. While the guidelines help explain the law, they are not legally binding, and enforcement will depend on regulators and courts.

Partners and Affiliates

Vulnerabilities, Research, and Threat Intelligence

• Chrome 133, Firefox 135 Patch High-Severity Vulnerabilities

• Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104

• Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score

🩹 🐧 CISA has ordered federal agencies to fix a serious Linux kernel vulnerability, CVE-2024-53104, within three weeks due to ongoing attacks. This flaw, which affects devices using the USB Video Class driver, allows attackers to gain elevated privileges without needing additional permissions. Agencies are also urged to secure their networks against other actively exploited vulnerabilities in Microsoft and Apache software.

🪣 🔓 Cybersecurity firm WatchTowr found around 150 abandoned Amazon S3 buckets that could have been exploited by attackers to deliver malware to governments and large companies. Over two months, these buckets received more than eight million requests for various files, including software updates and VM images. To prevent misuse, WatchTowr worked with AWS and government agencies to secure the abandoned buckets.

🔓 A security flaw in AMD's Secure Encrypted Virtualization (SEV) allows attackers with admin access to load harmful CPU microcode, risking the confidentiality of virtual machines. This vulnerability, known as CVE-2024-56161, has a high severity score of 7.2 out of 10. Google researchers discovered the issue, and AMD is working on a fix while keeping some technical details private for now.

ICS, OT & IoT

🗒️ The Five Eyes agencies have issued guidance for device manufacturers to enhance the security of edge devices, which are often targeted by cyberattacks. This guidance emphasizes the importance of secure logging and encourages organizations to follow best practices to protect their devices from vulnerabilities. Manufacturers are urged to adopt secure-by-design principles to reduce potential risks.

🇨🇳 Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated…