🕵🏻‍♂️ [InfoSec MASHUP] 13/2025

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 WOW! A new ransomware group called Arkana Security claims to have hacked the US telecom provider WideOpenWest (WOW!) and stolen customer data. They threaten to release this information unless a ransom is paid. WOW! has not yet confirmed the breach, which could harm its reputation and lead to legal issues.

📺 StreamElements confirmed a data breach involving a third-party service provider, where a hacker leaked information about 210,000 customers. The company assured users that its own servers were not affected and that they are investigating the incident. Users registered between 2020 and 2024 should be cautious of potential phishing attempts.

☁️ Who’s Lying? Cybersecurity firms have found evidence suggesting that Oracle Cloud may have been hacked, despite Oracle's denial. A hacker named 'rose87168' claims to have stolen data from over 140,000 Oracle Cloud tenants, including sensitive passwords. Some security experts confirm that the leaked data appears genuine and includes accounts from multiple countries.

→ Oracle Health breach compromises patient data at US hospitals

🎣 Troy Hunt discovered that a phishing attack had stolen his Mailchimp credentials and exported his mailing list. He realized this mistake after entering his information on a fraudulent website while jet lagged. Hunt warns his subscribers about potential spam and is frustrated that Mailchimp keeps data on unsubscribed users — Even the best of us can fall for phish.

🇺🇸 Numotion, a major provider of mobility solutions, experienced a data breach affecting nearly 500,000 people — Hackers accessed employee email accounts, exposing sensitive customer information like names, birth dates, and financial details. Although there is no evidence of misuse yet, Numotion advises individuals to monitor their accounts for potential fraud.

🇺🇦 The enemy failed to do the key thing: Ukraine's railway operator, Ukrzaliznytsia, faced a major cyberattack that disrupted online ticket sales. Despite this, train services continued normally, with passengers advised to buy tickets at the station if needed. The main railway station in Kyiv saw long lines as people waited to purchase tickets.

🔗 Partners and Affiliates

🔐 NordVPN Spring Campaign 🌷 (March 19 — May 19)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: up to 77% off + 3 extra months on selected 2-year plans.

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🎰 The FBI successfully tracked and froze millions of dollars from a ransom paid by Caesars Entertainment to hackers after a ransomware attack. The hackers initially demanded $30 million, but Caesars negotiated the payment down to about $15 million, which was sent in Bitcoin. While the FBI managed to freeze most of the funds, some were moved before they could act, totaling over $5 million.

🇨🇳 A Chinese hacking group called FamousSparrow has been linked to cyber attacks on a U.S. trade group and a Mexican research institute, using new versions of their backdoor malware, SparrowDoor. They have deployed a more advanced version of SparrowDoor and introduced ShadowPad for the first time. These attacks exploit outdated software and allow the hackers to execute multiple commands simultaneously.

🇷🇺 A Russian ransomware gang exploited a Windows zero-day vulnerability before Microsoft released a patch. The gang, identified as EncryptHub, used a technique involving malicious Microsoft Console files to execute harmful code and steal data. Security researchers warn that this group is actively developing new methods to carry out their attacks.

💸 A new ransomware-as-a-service called VanHelsing has launched, targeting various operating systems and demanding ransoms after stealing data. It allows affiliates to join for free or pay a $5,000 deposit, with operators keeping 20% of ransom payments. In just two weeks, it has already claimed three victims and is causing significant damage to companies in France and the U.S.

🇨🇳 A new Chinese cyber threat group called Weaver Ant is targeting telecom providers in Asia using web shells for long-term access and cyberespionage. They have maintained control over compromised servers for years and use advanced techniques to evade detection. The group is believed to be linked to Chinese APTs due to their sophisticated methods and shared tools.

🇨🇦 ❄️ A Canadian citizen named Connor Moucka has agreed to be extradited to the U.S. to face 20 federal charges related to cyberattacks on Snowflake customers. He is accused of being part of a group that extorted organizations for about $2.5 million and accessed sensitive information. Moucka was arrested in Ontario and is linked to online criminal activities involving multiple aliases.

🇷🇺 A Russian firm called Operation Zero is offering up to $4 million for exploits that target the messaging app Telegram. They are specifically looking for full-chain exploits that can compromise devices running Android, iOS, and Windows. This move comes as another exploit broker, Zerodium, has gone quiet and appears to have shut down.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests. Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 🇾🇪 Bombs falling: Jeffrey Goldberg, an American journalist, accidentally received U.S. war plans in a Signal group chat meant for national-security leaders. The chat included sensitive details about military strikes in Yemen and raised concerns about the risks of using unsecured messaging for classified information. Ultimately, the incident highlighted serious potential violations of national security protocols and laws.

The Aftermath: The White House confirmed that Defense Secretary Pete Hegseth shared details about military strikes on Houthi rebels in Yemen just before they were carried out. Lawmakers from both parties criticized this incident as a serious error that could endanger national security.

→ The Attack Plans, published by The Atlantic 😱😱

Signalgate: Should Europe be more concerned about VP Vance than President Trump himself? | DW News

🇬🇧 The UK Information Commissioner's Office has fined Advanced Computer Software Group Ltd £3.07 million for a 2022 ransomware attack that exposed data of over 79,000 people, including NHS patients. The attack, carried out by the LockBit group, highlighted Advanced's inadequate security measures, such as poor vulnerability scanning and incomplete multi-factor authentication. This fine is notable as it is the first in the UK against a data processor rather than a data controller.

🇷🇺 🇺🇦 Austria has uncovered a Russian disinformation campaign targeting Ukraine, linked to a detained Bulgarian woman accused of espionage. Austrian intelligence found evidence of the operation, which aimed to spread false information in German-speaking countries shortly after Russia's invasion of Ukraine in 2022. The campaign involved online activity and far-right symbols to mislead the public into thinking they were pro-Ukrainian efforts.

🌍 Police in seven African countries arrested 306 suspects in "Operation Red Card", targeting cybercrime networks involved in scams. The operation, led by INTERPOL, resulted in the seizure of 1,842 devices used for various online frauds affecting over 5,000 victims.

🇺🇸 🇨🇳 The FCC is investigating if banned Chinese telecom companies are still operating in the US despite efforts to remove their equipment. These companies, like Huawei and ZTE, have been deemed a national security risk, leading to funding cuts and bans. The FCC aims to close any loopholes that allow these companies to continue their operations secretly.

🧬 DNA of 15 Million People for Sale: 23andMe has filed for Chapter 11 bankruptcy, putting the genetic data of over 15 million customers at risk. The company is now searching for a buyer, and customers have been urged to request the deletion of their data due to concerns over privacy and security. With ongoing legal issues and a history of data breaches, the future of how this sensitive information will be handled remains uncertain.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🇺🇦 🇷🇺 IBM X-Force found a new malware called the Sheriff backdoor, which was used in a cyber espionage attack against Ukraine's defense sector in early 2024. This malware was hosted on a popular Ukrainian news site and can take screenshots and steal data using Dropbox for communication. The attack shows similarities to other Russian-linked cyber threat groups targeting Ukraine.

🍎 New versions of the macOS malware ReaderUpdate have been created using several programming languages, including Crystal, Nim, Rust, and Go. This malware has been linked to adware and can communicate with a command-and-control server to execute commands. While it currently targets adware, it has the potential to deliver more harmful payloads in the future.

🧩 Cybersecurity researchers found two malicious extensions in the VSCode Marketplace that deploy early-stage ransomware. The extensions, "ahban.shiba" and "ahban.cychelloworld", were removed after they were discovered to execute a PowerShell command to encrypt files on users' desktops. The ransomware demands payment in ShibaCoin but lacks further instructions, indicating it is still in development.

🎢 Mickey Malware: A former Disney employee, Matthew Van Andel, filed a wrongful termination complaint after his personal computer was hacked due to malware he unknowingly downloaded. Disney claims he accessed inappropriate material on his work computer, which he denies. Van Andel's personal information was leaked in the attack, causing him distress and financial concerns.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

💥 💬 Hackers can use a new method to create more effective attacks on large language models like Google's Gemini. This technique, called indirect prompt injection, takes advantage of the models' inability to differentiate between prompts and external text. Researchers have found a way to generate these attacks automatically, making them easier to execute than before.

💬 Meta AI is now available in WhatsApp for users in 41 European countries and cannot be turned off. The chatbot offers features like answering questions and creating stickers but is less powerful than the standalone Meta AI web app. Users are advised to avoid the AI button if they don’t want to engage with it.

🇨🇳 🔇 A leaked database reveals that China has created an AI system to enhance its censorship efforts, targeting sensitive topics like political dissent and social issues. This sophisticated censorship machine uses a large language model to automatically flag content, making it more efficient than traditional methods. Experts warn that this trend shows how authoritarian regimes are increasingly adopting advanced AI technology for repression.

🔐 Proton VPN is now integrated into the Vivaldi browser, allowing users to enjoy powerful privacy without extra downloads. Both companies prioritize user data protection and share a commitment to privacy and independence. With this partnership, they aim to provide secure and democratic internet access without compromising on values.

🛠️ Go Deep: DeepTeam is an open-source framework designed for red teaming large language models (LLMs) to identify security vulnerabilities and risks. It allows users to simulate various attacks and customize assessments based on established security guidelines. By using DeepTeam, developers can efficiently detect issues like bias and misinformation in their LLM applications.

🔗 Partners and Affiliates

⚡️ Unlock Your Peak Performance – First Month FREE!

Optimize your sleep, recovery, and performance with WHOOP. Perfect for cybersecurity pros who need to stay focused and ahead of the threat. Try it out, get a free WHOOP 4.0 and one month free.

🪳 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• VMware Patches Authentication Bypass Flaw in Windows Tools Suite

• CrushFTP warns users to patch unauthenticated access flaw immediately

• Google Patches Chrome Sandbox Escape Zero-Day Caught by Kaspersky

• GitLab Patch Release: 17.10.1, 17.9.3, 17.8.6

🐛 🔥 Wiz Research discovered serious security vulnerabilities in the Ingress NGINX Controller for Kubernetes, dubbed #IngressNightmare, allowing attackers to execute remote code and access sensitive information. Approximately 43% of cloud environments may be at risk, including many Fortune 500 companies. Immediate patching is recommended to mitigate these critical vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974).

🐛 A serious security flaw in NetApp SnapCenter could allow users to gain remote admin access on systems with its plug-in. This vulnerability, known as CVE-2025-26512, has a high risk score of 9.9 out of 10. Users are urged to update to SnapCenter versions 6.0.1P1 or 6.1P1 to protect against this issue.

💰 🐛 OpenAI has increased its bug bounty payout to $100,000 to find critical vulnerabilities in its systems. The company is also funding security research projects and offering microgrants to help develop security solutions. Additionally, OpenAI is collaborating with experts to improve its defenses against potential cyber attacks.

🐛 A serious security flaw in the Next.js framework allows attackers to bypass important authorization checks. This vulnerability, tracked as CVE-2025-29927, has a high severity score and can expose sensitive areas of a website. Users are urged to update to the latest versions or limit certain requests to protect their applications.

🐛 From another Century: The CVE program, started in 1999, helps organize and share information about computer vulnerabilities, with over 40,000 new reports each year. Despite some challenges, experts believe it remains the best system for identifying and addressing these vulnerabilities. Overall, the program is seen as valuable and resilient, continuing to evolve and benefit the cybersecurity community.

🛰️ ICS, OT & IoT

☀️ SUN:DOWN — Researchers from Forescout found over 90 vulnerabilities in solar power systems from major companies like Sungrow, Growatt, and SMA, posing risks to electrical grids. Some flaws could allow hackers to take control of solar inverters, leading to possible disruptions in power supply and data breaches. While SMA and Sungrow have patched their vulnerabilities, many issues in Growatt products remain unaddressed.

🐛 Inaba Denki Sangyo's monitoring cameras have serious unpatched vulnerabilities that can be exploited for remote hacking. These flaws allow attackers to control the cameras, monitor live feeds, and potentially manipulate or delete footage. The company has not yet released fixes and advises customers to enhance security measures instead.

🛜 Internet-Connected… Weighing Machines: Great blog post describing how one could have hacked millions of smart weighing machines by exploiting vulnerabilities in the user-device association process. By reverse-engineering the mobile app and API, they found ways to associate any user account with any device without owning it.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.