🕵🏻‍♂️ [InfoSec MASHUP] 22/2025

🔓 BREACHES & SECURITY INCIDENTS

🖥️ ConnectWise has reported a suspected state-sponsored hack affecting a small number of its ScreenConnect customers. The company is working with Mandiant and law enforcement to investigate the incident and has implemented enhanced security measures. A high-severity vulnerability (CVE-2025-3935) was identified, which allowed attackers to execute code on affected servers, and patches have been released to address the issue.

👙 Victoria’s Secret is dealing with a security incident that has disrupted its website and online orders. The company has taken down its website and some in-store services as a precaution. Despite the issues online, Victoria’s Secret stores are still open.

💸 Hackers stole about $223 million from the cryptocurrency exchange Cetus Protocol by exploiting a vulnerability in its smart contract. Cetus paused its contract immediately but was unable to prevent the theft of various tokens. The company is working on recovering the stolen funds and has offered the hackers a reward for their return.

🇩🇪 Adidas announced a data breach after hackers accessed customer data through a third-party service provider. The stolen information includes names and contact details but does not involve payment information or passwords. The company is notifying affected customers and authorities while investigating the incident.

🇨🇦 Nova Scotia Power has confirmed it was hit by a ransomware attack, affecting the personal information of approximately 280,000 customers. The breach included sensitive data such as names, contact details, and financial information. The company has not paid the hackers and is working with cybersecurity experts to address the situation.

➝ More breaches:

• 364,000 Impacted by Data Breach at LexisNexis Risk Solutions

🔗 Partners and Affiliates

🔐 NordVPN x Saily Campaign (May 14 - July 2)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: up to 73% off on selected 2-year NordVPN plans plus a free Global Saily eSIM data plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇨🇳 China-linked hackers are exploiting security flaws in SAP and SQL servers to target organizations in Asia and Brazil. They use various vulnerabilities to gain access, deploy malicious tools, and attempt ransomware attacks, particularly focusing on logistics, retail, IT companies, and government organizations. The group, known as Earth Lamia, is actively refining its tactics and developing new malware to enhance its operations.

🇵🇰 Authorities in Pakistan arrested 21 people linked to a malware service called "Heartsender" that helped organized crime groups scam companies for over a decade. The service was known for delivering spam and malware, causing more than $50 million in losses in the U.S. alone. Rameez Shahzad, the alleged leader, was among those arrested, having previously been identified for his operational mistakes in 2021.

🗓️ 🇨🇳 Chinese hackers (APT41) linked to the Chinese government used Google Calendar to help carry out attacks on various government agencies. Google discovered that malware was being delivered through a compromised government website and used Calendar for coordination. In response, Google took steps to identify and shut down the hacker-controlled accounts and projects.

🇮🇷 🇺🇸 ⚖️ An Iranian man named Sina Gholinejad pleaded guilty to his role in the Robbinhood ransomware scheme, which attacked several U.S. cities in 2019, including Baltimore. He faces up to 30 years in prison for computer fraud and conspiracy to commit wire fraud. The scheme caused over $19 million in damages and involved laundering ransom payments through cryptocurrency.

🇷🇺 🇳🇱 A new Russian-backed hacking group called Void Blizzard has been linked to a security breach of the Dutch police in September 2024, where they stole contact information of several officers. This group targets organizations in Europe and NATO, focusing on sensitive information related to military and defense. Their tactics include using stolen credentials and malware to access and exfiltrate data from compromised systems.

🇷🇺 🇹🇯 Russia-linked hackers known as TAG-110 are targeting the Tajikistan government with spear-phishing attacks using malicious Word documents. This campaign marks a shift in their tactics, moving away from previous methods to focus on macro-enabled templates. The goal is likely to gather intelligence for political or security purposes during sensitive times.

🇪🇸 Researchers believe the Spanish government was behind a hacking group called Careto, which was discovered by Kaspersky over a decade ago. Careto used advanced malware to target government institutions and companies worldwide, particularly in Cuba. Recently, Kaspersky found evidence of Careto's activities again, showing they remain a sophisticated threat.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests. Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 The White House is investigating a hack of Chief of Staff Susie Wiles' personal phone, where hackers accessed her contacts and impersonated her. They reportedly used AI to mimic her voice and sent messages from an unassociated number. This incident follows previous attempts by hackers to compromise Wiles' personal email and highlights ongoing cybersecurity issues within the Trump administration.

🇺🇸 🇵🇭 The U.S. government has sanctioned the tech company FUNNULL for its role in cyber scams that have caused $200 million in losses for American victims. FUNNULL, based in the Philippines and run by Liu Lizhi, provided services that helped cybercriminals create fake investment websites. The Treasury Department's actions aim to combat the growing threat of scams targeting Americans.

🇨🇿 🇨🇳 The Czech government has condemned a cyber attack linked to China's APT31 group, which infiltrated its foreign ministry networks. Officials stated that the hackers accessed critical infrastructure without detection since 2022. The Czech Republic, along with the EU, urged China to stop such malicious activities and adhere to international norms in cyberspace.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🎣 🎠 The Interlock ransomware gang is using a new remote access trojan (RAT) called NodeSnake to target universities for ongoing access to their networks. This malware is spread through phishing emails and can collect system data while avoiding detection. Its development indicates that Interlock is evolving to enhance its stealth and persistence.

🚢 🤑 A new malware campaign targets misconfigured Docker containers to mine Dero cryptocurrency, spreading quickly to other vulnerable instances. The malware uses a tool that masquerades as a legitimate web server to exploit exposed Docker APIs and create a network of mining bots. This threat can compromise any containerized environment with insecure Docker APIs, allowing it to hijack resources for cryptojacking.

🎣 ⚖️ The FBI warns that law firms are being targeted by a ransomware group called the Silent Ransom Group (SRG), which uses phishing emails and phone calls to gain access to their systems. Once inside, SRG steals valuable data and demands a ransom, threatening to release the information publicly. Organizations are advised to train employees on phishing risks, implement security measures, and report any attack details to the FBI.

🥸 A new malware campaign called Bumblebee is targeting IT staff by using fake versions of popular tools like Zenmap and WinMTR to distribute malicious software. These fake websites appear legitimate but deliver infected installers that can compromise users' devices. To stay safe, it's important to download software only from official sources and verify the files before installation.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🇻🇳 Mandiant researchers have discovered a hacking group called UNC6032 spreading fake AI video generator ads that contain malware — These ads lead to phishing sites that steal personal information and deploy harmful software on victims' devices. The rise in interest for AI video tools has made this a prime target for cybercriminals, impacting many users and industries.

🔧 Criminals are increasingly targeting crypto executives and their families with violent abductions, aiming for large ransoms in cryptocurrency. Recent attacks have raised concerns about security, especially after data breaches revealed personal information of crypto users. Many victims are now taking steps to protect their identities and private information online.

🔗 Partners and Affiliates

⚡️ Unlock Your Peak Performance – First Month FREE!

Optimize your sleep, recovery, and performance with WHOOP. Perfect for cybersecurity pros who need to stay focused and ahead of the threat. Try it out, get a free WHOOP 4.0 and one month free.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Chrome 137, Firefox 139 Patch High-Severity Vulnerabilities

📁 OneDrive's File Picker gives web apps broader read access to all user files instead of just the ones being uploaded, due to vague permissions and unclear consent statements. This issue affects many popular apps, potentially allowing them to access sensitive user information. Experts recommend Microsoft improve its OAuth scope to protect user data better.

🐛 🔓 A serious vulnerability in GitHub's MCP integration allows attackers to manipulate user agents and leak data from private repositories through malicious GitHub Issues.

🛰️ ICS, OT & IoT

🚪 A new malware called PumaBot targets IoT devices by brute-forcing SSH credentials to gain access. It specifically focuses on certain IP addresses and can install persistent backdoors to maintain control. To protect against such threats, it's important to update device firmware, change default passwords, and isolate IoT devices on separate networks.

🚪 Thousands of Asus routers are infected with a hidden backdoor that allows unauthorized access even after reboots and updates. Attackers exploit vulnerabilities to gain control and install a public encryption key, enabling easy login. This persistent access lets them maintain control without leaving obvious traces.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.