🕵🏻‍♂️ [InfoSec MASHUP] 19/2025

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 A software engineer named Kyle Schutt, who works for the Cybersecurity and Infrastructure Security Agency (CISA), has had his login credentials leaked due to malware on his computer. He accessed sensitive software for the Federal Emergency Management Agency, which raises concerns about security. The malware has stolen his credentials multiple times this year, highlighting the risks of cyberattacks.

🇺🇸 Education company Pearson was hit by a cyberattack that exposed customer data, primarily from older records. The attackers accessed Pearson's systems through a leaked GitLab token, allowing them to steal large amounts of data. Pearson is investigating the incident and has enhanced their security measures but has not disclosed specific details about the affected customers.

🇺🇸 🏥 Masimo Corporation has reported a cyberattack that is disrupting its manufacturing and delaying customer orders. The company is working to restore its systems and has involved external cybersecurity experts. It is still unclear how the attack has affected customer data and financial results.

🏫 PowerSchool has warned that a hacker from a previous cyberattack is now extorting individual school districts, threatening to release stolen student and teacher data if they don't pay a ransom. The company has reported this situation to law enforcement and is assisting affected schools. PowerSchool also offered free credit monitoring to help protect against identity theft.

🇬🇧 The UK Legal Aid Agency is investigating a cybersecurity incident that may have compromised financial information of law firms. They have warned about the risk to legal aid providers but cannot confirm any data was accessed. The UK National Crime Agency is assisting in the investigation, highlighting the seriousness of the situation.

🇺🇸 Kelly Benefits has revealed that a recent data breach affected over 413,000 individuals, much more than the initial estimate of 32,000. Hackers stole personal information, including names, Social Security numbers, and financial details during a five-day attack in December 2024. The company is notifying those impacted, but it is still unclear if this breach was part of a ransomware attack.

🔗 Partners and Affiliates

🔐 NordVPN x Saily Campaign (May 14 - July 2)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: up to 73% off on selected 2-year NordVPN plans plus a free Global Saily eSIM data plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🔓 The LockBit ransomware gang was hacked, exposing their internal data and negotiation messages with victims. The breach revealed details such as 59,975 bitcoin addresses and plaintext passwords for 75 users. This incident further damages LockBit's reputation, which was already affected by previous law enforcement actions.

🇩🇪 German federal police shut down the eXch cryptocurrency exchange for alleged money laundering activities. They seized servers and data worth around $38 million, linking the platform to criminal funds, including stolen assets from a major hack. The operators are now under investigation for operating a criminal online trading platform.

🇺🇸 🇳🇱 The FBI and Dutch police shut down a botnet that used hacked routers to provide services to cybercriminals. Four individuals were indicted for profiting from these services, which were disguised as legitimate proxy offerings. The operation, called "Operation Moonlander", targeted thousands of compromised devices worldwide.

🇷🇺 Google has warned that the Russian APT group Star Blizzard is using a new malware called LostKeys to steal information, primarily targeting advisors to Western governments and journalists. The group employs a technique called ClickFix to deliver this malware through phishing attacks, which involve fake web pages and PowerShell commands. Users are advised to be cautious of sites that ask them to run commands on their devices.

🇬🇧 The DragonForce ransomware group has claimed responsibility for recent cyberattacks on UK retailers, including Co-op, Harrods, and Marks & Spencer. The attacks have caused significant disruptions, with M&S suspending online purchases and Co-op reporting stolen customer data. The UK National Cyber Security Centre is urging businesses to enhance their cybersecurity measures in response to these incidents.

🇵🇱 Polish authorities arrested four suspects linked to six DDoS-for-hire services that have caused thousands of cyberattacks worldwide since 2022. These platforms allowed users to disrupt online services easily by flooding them with traffic for a fee. The operation involved cooperation between law enforcement from multiple countries, including the U.S., Germany, and the Netherlands.

🇮🇷 An Iranian hacking group maintained access to critical national infrastructure in the Middle East for nearly two years, using VPN flaws and malware. Their tactics included extensive espionage and deploying multiple backdoors to retain access despite the victim's countermeasures. The attackers demonstrated sophisticated techniques to infiltrate networks and avoid detection throughout the operation.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests. Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🌐 NATO is hosting the Locked Shields 2025 cyber defense exercise in Estonia, involving nearly 4,000 experts from 41 countries. The exercise aims to improve national cybersecurity teams' readiness to defend critical infrastructure against complex cyberattacks. Participants face challenges like disinformation, legal issues, and the impacts of quantum computing and AI.

🇬🇧 The UK government has introduced a voluntary Software Security Code of Practice to encourage software vendors to adopt secure practices. This framework includes 14 principles focused on secure design, patching, and transparency, aiming to improve software security without immediate regulation. It addresses issues like multi-factor authentication being treated as an extra feature, pushing vendors to prioritize security in their products.

🇺🇸 🇲🇲 The US has sanctioned a Myanmar warlord, Saw Chit Thu, and his militia, the Karen National Army, for their involvement in cyber scams targeting Americans. The KNA has been linked to organized crime, human trafficking, and has caused billions in losses from scams. The sanctions block their property in the US and restrict transactions with them.

👀 💰 NSO Group must pay over $167 million to WhatsApp for a 2019 hacking campaign that targeted more than 1,400 users. The ruling follows a five-year legal battle, with WhatsApp winning both punitive and compensatory damages. NSO Group's spokesperson hinted at the possibility of an appeal against the verdict.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🍎 Three malicious NPM packages pretending to be developer tools for the Cursor AI code editor were found to install a backdoor on macOS systems. These packages, downloaded over 3,200 times, steal user credentials and modify the Cursor application for remote control. Users are advised to remove these packages and check their systems for unauthorized changes.

🐍 Researchers found malware in a fake Discord utility package called discordpydebug, which was downloaded over 11,500 times from the Python Package Index (PyPI). This package includes a remote access trojan that can read sensitive data and execute commands. The threat is part of a larger campaign involving multiple malicious packages across different coding ecosystems.

💤 Hundreds of e-commerce sites were hacked due to a supply-chain attack that used malware to steal payment information from visitors. This malware had been dormant for six years before activating recently, affecting at least 500 sites. One of the compromised sites belonged to a large multinational company, and efforts to fix the issue are still limited.

🎣 A phishing kit called CoGUI sent over 580 million emails from January to April 2025 to steal personal and payment information. The emails impersonate well-known brands and mainly target Japan, but also reach users in the U.S., Canada, Australia, and New Zealand. Researchers warn that these phishing attacks could easily spread to other countries, so it's important to be cautious with urgent email requests.

🎣 🩸 The Darcula phishing-as-a-service platform stole 884,000 credit cards through SMS phishing texts sent to 13 million users globally over seven months. It targets Android and iPhone users with fake notifications, making its attacks more effective by using advanced messaging methods. Investigators found evidence linking the operation to a Chinese individual and identified around 600 scammers involved in the scheme.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🥸 Google is introducing new AI tools to help protect Chrome users from scams —The AI, called Gemini Nano, will provide enhanced protection against phishing and spam notifications on both desktop and Android. This technology will help users identify risky websites and malicious notifications more effectively.

🥸 Accenture's CEO was targeted by a deepfake during a video call about an unpaid invoice, highlighting the growing threat of AI-generated impersonations. Security expert Flick March warns that detecting deepfakes is becoming increasingly difficult, and organizations must enhance their security measures to protect against such attacks. Companies should prioritize awareness and update their protocols to respond effectively to potential deepfake incidents.

🫣 Bruce Schneier warns that AI models are biased towards their creators, risking manipulation like search engines. He advocates for governments and academia to develop transparent AI alternatives to protect consumers. The EU AI Act is a positive step, but more regulation is needed to ensure AI serves the public good.

🔗 Partners and Affiliates

⚡️ Unlock Your Peak Performance – First Month FREE!

Optimize your sleep, recovery, and performance with WHOOP. Perfect for cybersecurity pros who need to stay focused and ahead of the threat. Try it out, get a free WHOOP 4.0 and one month free.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT

• Google addresses 1 actively exploited vulnerability in May’s Android security update

• SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root

• SysAid Patches 4 Critical Flaws Enabling Pre-Auth RCE in On-Premise Version

🐛 💥 A serious vulnerability in SAP NetWeaver, tracked as CVE-2025-31324, has been exploited since January 2025, allowing attackers to execute remote code. Hundreds of SAP instances across various industries have been compromised, and cybersecurity firms warn that attackers are revisiting these servers. Organizations are urged to patch the vulnerability and assess potential compromises to protect their systems.

↳ Threat Brief: CVE-2025-31324, by Palo Alto Uni42

🐛 A serious vulnerability in Samsung's MagicINFO (CVE-2024-7399) content management system was exploited just days after exploit code was released. This flaw allows unauthenticated attackers to upload files and potentially execute harmful code with system privileges. Samsung has released a patch, and users are urged to update to the latest version to protect against attacks.

🐍 🤖 The US cybersecurity agency CISA has warned about a critical vulnerability in Langflow, a Python-based AI builder, which can be exploited by attackers to execute arbitrary code. This vulnerability, tracked as CVE-2025-3248, affects versions prior to 1.3.0 and requires immediate patching by organizations. Although a fix was introduced in version 1.3.0, some risks remain, and users are advised to restrict network access to minimize exploitation.

🛰️ ICS, OT & IoT

🛢️ ⛽️ The US cybersecurity agencies have warned that hackers are targeting the oil and gas sector's critical infrastructure. These attacks use basic techniques and exploit poor cybersecurity practices, which could lead to significant disruptions. Organizations are urged to improve their cybersecurity measures, including securing remote access and changing default passwords.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.