[InfoSec MASHUP] 07/2025

Welcome to the 33 new members from the last 30 days! This newsletter now has 1,664 subscribers.

Breaches & Security Incidents

💸 zkLend lost $9.5 million in Ethereum due to a smart contract flaw exploited by hackers. They have asked the hacker to return 90% of the stolen funds, offering to let them keep 10% as a bounty. If the funds are not returned by February 13, zkLend will pursue legal action.

🇺🇸 Cisco confirmed that recent data shared by a ransomware group is linked to a cyberattack from May 2022 — The leaked information includes usernames and password hashes that were previously stolen but had no impact on Cisco's customers. The ransomware group, Kraken, is believed to be a rebranding of the HelloKitty group and is highlighting old hacks to gain attention.

🇺🇸 Lee Enterprises, a major newspaper group in the U.S., suffered a cyberattack on February 3, 2025, disrupting its operations and causing network outages. This incident affected the printing and delivery of many newspapers, leaving reporters without access to their files. The company is investigating the attack and has notified law enforcement, while also informing readers of temporary service issues on their websites.

🇺🇸 Memorial Hospital and Manor in Georgia has informed 120,000 people that their personal information was stolen in a ransomware attack. The attackers, known as the Embargo group, claimed to have taken 1.15 terabytes of data, including sensitive health information. The hospital is offering free identity protection and credit monitoring to those affected, though there is no evidence of misuse so far.

Cybercrime, Cyber Espionage, APT’s

🇨🇳 The Chinese hacking group Salt Typhoon is still breaching telecom companies despite U.S. sanctions against them. They have targeted multiple firms worldwide, including in the U.S., Italy, South Africa, and Thailand. Researchers expect Salt Typhoon to keep attacking telecommunications providers in the future.

🇷🇺 A Russian state threat group has expanded its cyberattacks to targets in the U.S., Canada, Australia, and the U.K., using a campaign called "BadPilot". This group, known as Seashell Blizzard, has exploited various vulnerabilities since 2021, leading to significant access to sensitive industries and infrastructure. Microsoft warns that this shift indicates a broader and less targeted approach, increasing the risk of attacks on critical systems worldwide.

🇺🇸 🇷🇺 The U.S., Australia, and the U.K. have imposed sanctions on Zservers, a Russian hosting provider, for helping ransomware groups like LockBit. The sanctions also target two Russian nationals linked to the company who facilitated cybercriminal activities. This action aims to disrupt the infrastructure that supports cybercrime and protect national security.

🇺🇸 ⚖️ An Alabama man, Eric Council Jr., pleaded guilty to a SIM swap attack that hijacked the U.S. SEC's X account in January 2024. He used the compromised account to post a fake announcement about Bitcoin ETFs, causing a significant price fluctuation. Council faces up to five years in prison and is set to be sentenced on May 16.

🚨 Law enforcement agencies from Europe, Japan, the U.S., and the U.K. have seized the dark web site of the 8base ransomware gang — This gang, known for double-extortion tactics, targets various sectors, including healthcare. The operation highlights a global effort to combat cybercriminal activities.

Thai authorities arrested four Europeans in Phuket for their involvement in ransomware attacks targeting Swiss companies. The suspects are linked to the 8Base group, which extorted $16 million in Bitcoin from victims. This operation is part of a larger international effort to combat cybercrime and seize criminal digital infrastructure.

🇺🇸 ⚖️ An Indiana man, Evan Frederick Light, was sentenced to 20 years in prison for hacking an investment company and stealing over $37 million in cryptocurrency. He used a client's stolen identity to access sensitive information and take funds from hundreds of clients. Light also laundered the stolen money through various services to hide his tracks.

Government, Politics, and Privacy

🇱🇹 🇺🇸 A Lithuanian adtech company called Eskimi has been identified as the source of sensitive location data tracking U.S. military personnel. This data was sold to a Florida-based broker, raising concerns about the security of military information. Experts warn that the adtech industry poses a global insider threat by misusing access to sensitive data.

🇺🇸 President Trump has chosen Sean Cairncross as his national cyber director. Cairncross has a background in government and consulting but lacks major cyber experience. If confirmed, he will be the third leader of the Office of the National Cyber Director.

👀 🇮🇱 Beppe Caccio, a co-founder of the NGO Mediterranea Saving Humans, revealed he was targeted by spyware from the Israeli company Paragon, following a similar claim from his colleague Luca Casarini. This comes after WhatsApp notified about 90 people of suspected spyware attacks. The Italian government denies any involvement in the hacking campaign.

🇺🇸 Benched: Seventeen staff members from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), who help secure elections, have been placed on administrative leave. This decision raises concerns about the support available to state and local election offices ahead of the 2024 election. State officials from both parties have praised CISA's efforts and worry about the impact of these staffing changes.

Partners and Affiliates

Malware & Threats

🦠 A new malware campaign, attributed to the REF7707 threat cluster, is targeting the foreign ministry of a South American country, using advanced techniques for espionage. The malware, called FINALDRAFT, exploits the Microsoft Graph API to gain remote access and execute commands on infected systems. Researchers believe the attackers are organized and have been operating for an extended period, indicating a focus on espionage activities.

🇷🇺 🇺🇦 Sandworm, the Russian cyber threat group, is targeting Ukrainian Windows users with fake Microsoft KMS activation tools to conduct espionage. They are using trojanized software to install a malicious loader called BACKORDER, which can download additional malware. This campaign is ongoing and exploits users seeking pirated software to crack Windows licensing.

AI, Crypto, Tech & Tools

Partners and Affiliates

Vulnerabilities, Research, and Threat Intelligence

➝ Patch Tuesday:

• Adobe Plugs 45 Software Security Holes, Warn of Code Execution Risks

• Microsoft fixes 63 vulnerabilities, including 2 zero-days

• Palo Alto Networks Patches Authentication Bypass Exploit in PAN-OS Software

• SAP Releases 21 Security Patches

🩹 Intel, AMD, and Nvidia released new security advisories this week to address high-severity vulnerabilities in their products. Intel reported 34 new advisories, with one critical issue affecting Server Board products, while AMD issued 11 advisories highlighting flaws that could allow attackers to execute arbitrary code. Nvidia published four advisories, including one for a high-severity vulnerability that could lead to privilege escalation and data tampering.

🪳 🔓 Fortinet has reported a new zero-day vulnerability in FortiOS and FortiProxy that allows attackers to gain super-admin access to firewalls. This flaw, identified as CVE-2025-24472, affects multiple versions of the software and has been actively exploited since mid-November. Fortinet advises organizations to disable public access to firewall management interfaces to protect against these attacks.

🪳 🔓 Apple reported a high-severity vulnerability in OpenSSL, tracked as CVE-2024-12797, which could allow man-in-the-middle attacks if clients use raw public keys to authenticate servers. The issue arises when handshake failures do not trigger as expected, leaving clients unaware of authentication failures. OpenSSL has released patches to fix this vulnerability in versions 3.4.1, 3.3.2, and 3.2.4.

🍎 🩹 Apple has released updates for iOS and iPadOS to fix a serious security flaw that could be exploited in targeted attacks. The vulnerability allowed unauthorized access to devices by disabling a key security feature called USB Restricted Mode. The flaw was discovered by a researcher at the Citizen Lab, and it raises concerns about the misuse of forensic tools by law enforcement.

🪳 💰 Microsoft is expanding its Copilot bug bounty program to include more consumer products and increase rewards for researchers. They now offer up to $5,000 for moderate-severity vulnerabilities, while critical-severity flaws can still earn up to $30,000. This change aims to enhance security across various Copilot services and encourage more participation from security researchers.

ICS, OT & IoT

🩹 Siemens and Schneider Electric have released security advisories addressing multiple vulnerabilities in their products. Siemens has published 14 advisories for about 100 vulnerabilities, including critical flaws that could allow remote code execution. Schneider Electric has released four advisories for nine vulnerabilities, highlighting severe flaws that could lead to disruption and privilege escalation.