[InfoSec MASHUP] 08/2025

Welcome to the 32 new members from the last 30 days! This newsletter now has 1,675 subscribers.

Breaches & Security Incidents

🔓 A security flaw in the stalkerware apps Cocospy and Spyic has exposed the personal data of millions, including messages and photos. The vulnerability allows anyone to access email addresses of users who intended to monitor someone secretly. These apps are often undetected by victims, raising concerns about privacy and security.

🇬🇧 HCRG Care Group, a major healthcare provider in the UK, is investigating a cybersecurity breach after a ransomware gang claimed to have stolen sensitive data. The Medusa ransomware group has threatened to publish the stolen information unless HCRG pays a $2 million ransom. HCRG is working with forensic specialists and has informed regulators while continuing to provide services to patients.

🇺🇸 Insight Partners, a New York-based venture capital firm, experienced a cyberattack in January that was triggered by a social engineering scheme. The company is investigating the breach with third-party cybersecurity experts and has notified law enforcement. They believe there will be no major impact on their operations or stakeholders but are still assessing the situation.

🇺🇸 Lee Enterprises, a major newspaper publisher, is experiencing ongoing disruptions due to a cyberattack that has encrypted its critical systems. The company is investigating whether any sensitive data was stolen and expects the outages to continue for several more weeks. This incident has affected the distribution of newspapers and access to online services.

➝ More breaches:

• Mining Company NioCorp Loses $500,000 in Business Email Compromise (BEC) Hack

Cybercrime, Cyber Espionage, APT’s

💰 Internal conflicts in the Black Basta ransomware gang — A large leak of chat logs from the Black Basta ransomware group has revealed key members and their victims. The logs, containing over 200,000 messages, show internal conflicts and details about their cyberattacks on various organizations. Notable victims include healthcare provider Ascension and utility company Southern Water, highlighting the gang's extensive criminal activities.

🇬🇧 Apple has removed the iCloud end-to-end encryption feature in the UK after the government requested a way to access users' encrypted data. New users in the UK will no longer be able to use the Advanced Data Protection feature, which protects iCloud data with strong encryption. Apple expressed disappointment over this decision, as they believe enhanced security is crucial for customer privacy.

🇷🇺 💬 Russian hackers are exploiting Signal's "linked devices" feature to spy on users by tricking them into scanning malicious QR codes. This allows attackers to receive real-time copies of messages without breaking Signal's encryption. Mandiant warns that this tactic poses a significant threat to users, especially military personnel and journalists.

🇨🇳 🇯🇵 The Winnti group, linked to China, has launched a new cyber espionage campaign called RevivalStone, targeting Japanese companies in key industries. They use advanced malware and tactics to stealthily infiltrate systems, collect information, and establish long-term access. This campaign has seen them exploit vulnerabilities to spread their malware further within the affected organizations.

🇳🇱 Dutch police seized 127 servers from the bulletproof hosting service Zservers, which had been used by cybercriminals. This action followed sanctions announced by the US, UK, and Australia against Zservers and its operators. The servers, located in Amsterdam, hosted hacking tools and stolen data, and investigators are currently analyzing the information.

🇪🇪 Ponzi: Two Estonian men, Sergei Potapenko and Ivan Turõgin, have pleaded guilty to a $577 million cryptocurrency Ponzi scheme. They misled customers about a fake cryptocurrency mining service called HashFlare and used the money to buy luxury items. They face up to 20 years in prison and will forfeit over $400 million to compensate their victims.

Government, Politics, and Privacy

🇺🇸 Health Net Federal Services (HNFS) and its parent company, Centene Corporation, will pay $11 million to settle claims of not meeting cybersecurity requirements for the Department of Defense. The US government alleges HNFS filed false compliance certifications and failed to implement necessary cybersecurity controls from 2015 to 2018. Although they are paying the settlement, HNFS and Centene deny any wrongdoing and state that no data was lost.

🇪🇸 Mollitiam Industries, a small Spanish spyware company, has shut down due to financial issues and filed for bankruptcy. The company was involved in a scandal in Colombia, where it allegedly sold malware to military intelligence for surveillance purposes. Despite its low profile, Mollitiam Industries was tracked by organizations like Amnesty International for its spyware activities.

Partners and Affiliates

Malware & Threats

🦠 👾 Hackers modified a game called PirateFI to include malware that steals passwords and other sensitive data from gamers' computers. The malware, known as Vidar, has been linked to various cybercrime activities and is easy for low-skilled hackers to use. Valve removed PirateFI from Steam after discovering the malware, which was embedded in a game-making template.

🦠 🍎 Microsoft has discovered a new variant of the XCSSET macOS malware, which includes advanced obfuscation and updated infection methods. This malware targets users by infecting Apple Xcode projects and can exfiltrate data from various applications. The latest update marks the first major change since 2022, making it harder to analyze and ensuring it runs every time the system starts.

🦠 ⌨️ A new variant of the Snake Keylogger malware targets Windows users in various countries and has blocked over 280 million infection attempts this year. It uses AutoIt scripting to avoid detection and steals sensitive information by logging keystrokes and capturing credentials. The malware can maintain access to infected systems even after reboots by using persistence techniques.

🚪 🇷🇺 Researchers have discovered a new backdoor malware written in Golang that uses the Telegram Bot API for communication. This malware may have Russian origins and can execute commands, restart itself, and delete its files while interacting with a chat on Telegram. It is still under development but fully functional, posing challenges for cybersecurity defenses.

AI, Crypto, Tech & Tools

🇺🇸 The SEC has rebranded its cryptocurrency unit to the "Cyber and Emerging Technologies Unit" to better combat fraud in new technologies. The unit will focus on protecting investors and addressing issues related to cyber misconduct, including blockchain and crypto fraud. Concerns remain about whether this change indicates a reduced emphasis on enforcing cryptocurrency regulations.

🇰🇷 🇨🇳 South Korea has temporarily blocked downloads of the Chinese AI app DeepSeek from local app stores due to concerns about user data handling. The app will be allowed back once it complies with South Korean privacy laws. Users are advised to avoid sharing personal information until the situation is resolved.

🇺🇦 🇷🇺 Ukraine warns that Russia is increasingly using artificial intelligence in cyber-espionage to analyze stolen data, making their attacks more effective. Russian hackers now create personalized phishing messages to target Ukrainian military personnel on encrypted platforms like Signal. Ukrainian officials are also using AI to enhance their cybersecurity efforts against these sophisticated attacks.

⌚️ JD Vance, the Vice President of the United States, was recently criticized for wearing an Apple Watch due to security concerns. The blog Watches of Espionage highlighted that smartwatches can collect sensitive data, but Vance rarely wears his watch in public. This raises questions about why he chooses to wear it sometimes and not others.

Partners and Affiliates

Vulnerabilities, Research, and Threat Intelligence

• Atlassian has released patches for 12 critical and high-severity vulnerabilities in its products

• Chrome 133, Firefox 135 Updates Patch High-Severity Vulnerabilities

• Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability

• Microsoft Patches Exploited Power Pages Vulnerability

🔓 Nine vulnerabilities were found in NVIDIA's CUDA Toolkit tools, cuobjdump and nvdisasm, which help developers analyze CUDA binary files. These issues could allow attackers to exploit older versions of the tools through manipulated files, potentially leading to limited denial of service or information disclosure. To stay safe, it is recommended to use the latest version of the CUDA Toolkit.

🐡 Two serious vulnerabilities have been found in OpenSSH that can lead to man-in-the-middle and denial-of-service attacks. These issues affect certain versions of OpenSSH and could allow attackers to hijack connections or disrupt server access. A patch has been released in OpenSSH version 9.9p2 to fix these vulnerabilities.

🪳 💥 Palo Alto Networks has warned that hackers are actively exploiting a new vulnerability in their firewall software, PAN-OS. This flaw allows attackers to access unpatched networks by chaining it with two older vulnerabilities. Customers are urged to urgently patch their systems to prevent unauthorized access.

🇨🇳 Chinese state-sponsored hackers exploited two zero-day vulnerabilities to breach US Treasury workstations in December 2024. One of these vulnerabilities, CVE-2025-1094, allows attackers to execute arbitrary commands via SQL injection in PostgreSQL. Users are advised to update their PostgreSQL and BeyondTrust software to protect against these vulnerabilities.

🖨️ Vulnerabilities in Xerox VersaLink printers can let attackers steal authentication credentials through pass-back attacks on LDAP and SMB/FTP services. Xerox has released updates to fix these issues, and organizations are urged to update their printers to the latest firmware. To enhance security, users should use strong passwords and restrict access to the printer's settings.

ICS, OT & IoT