🕵🏻‍♂️ [InfoSec MASHUP] 23/2025

🔓 BREACHES & SECURITY INCIDENTS

🇺🇦 🇷🇺 Ukraine's military intelligence claims to have hacked the Russian company Tupolev, stealing 4.4 gigabytes of classified information. This data includes personal details of employees, internal communications, and documents related to the company's operations. The hackers also defaced Tupolev's website, redirecting it to another aviation company, and suggested that their operation could significantly impact Russia's strategic aviation.

🇺🇸 A hacker has repackaged data from a 2021 AT&T breach, linking Social Security numbers and birth dates to 49 million phone numbers. AT&T is investigating the leak, which they believe originates from their earlier data breach affecting 70 million customers. This repackaged data has been shared on a hacking forum, but it is not a new leak.

🇺🇸 MainStreet Bank has reported a data breach affecting about 4.65% of its customers due to a third-party vendor. The breach occurred between April 17, 2023, and April 22, 2025, compromising payment card data like card names and numbers. The bank assures customers that no unauthorized transactions took place and is advising them to check their accounts and request new cards.

🇫🇷 Cartier announced a data breach where some client information, including names and email addresses, was exposed. However, no passwords or financial information were compromised. The luxury brand is working with cybersecurity experts to investigate the incident and advises customers to stay alert for suspicious communications.

🇺🇸 The North Face has alerted customers that their personal information was stolen in a credential stuffing attack on April 23, 2025. This incident marks the fourth time the company has faced such an attack since 2020, exposing details like names and email addresses but not payment information. The North Face is now notifying affected customers about the breach.

➝ More Breaches:

• Media giant Lee Enterprises says data breach affects 39,000 people

• Ransomware Gang Leaks Alleged Kettering Health Data

🔗 Partners and Affiliates

🔐 NordVPN x Saily Campaign (May 14 - July 2)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: up to 73% off on selected 2-year NordVPN plans plus a free Global Saily eSIM data plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇮🇳 🇯🇵 India's Central Bureau of Investigation has arrested four people and shut down two illegal call centers involved in a tech support scam targeting Japanese citizens. The operation, supported by Microsoft and Japan's National Police Agency, revealed that scammers posed as tech support to trick victims into transferring money. Authorities seized valuable evidence and emphasized the need for global cooperation to combat cybercrime.

🇪🇸 Police from over a dozen countries arrested 20 suspects involved in distributing child sexual abuse material — The operation, initiated by the Spanish National Police, uncovered instant messaging groups sharing this content and led to coordinated actions across multiple countries. In total, multiple arrests were made in Latin America, Europe, and the United States, with additional devices seized during the operation.

🇺🇸 U.S. Federal authorities seized 145 domains and cryptocurrency funds linked to BidenCash, a cybercrime platform for stolen credit cards and personal information. The platform had over 117,000 users and generated more than $17 million in illegal revenue since its launch in March 2022. Now, the seized domains redirect to a server controlled by U.S. law enforcement, showing seizure notices.

☁️ Cybercriminals, known as the ShinyHunters group (UNC6040), are targeting companies to steal data from Salesforce accounts using social engineering tactics like voice phishing. They trick employees into connecting a malicious version of Salesforce's Data Loader, allowing access to sensitive information and other platforms like Microsoft 365. After stealing the data, the attackers often extort the companies for ransom, sometimes months later, claiming affiliation with the notorious ShinyHunters group.

🫱🏻‍🫲🏼 Microsoft and CrowdStrike are working together to connect the different names used for hacking groups by mapping their aliases. This new system will help security teams share information more easily and respond faster to threats. Other cybersecurity firms will also join this initiative to improve clarity and collaboration in tracking cyber threats.

🇺🇸 The FBI arrested Nathan Vilas Laatsch, a Defense Intelligence Agency employee, for trying to share classified information with a foreign government. He allegedly copied sensitive data to a notepad and left a thumb drive with secret documents in a park. Laatsch's actions were seen as a serious threat to national security.

🇺🇸 The U.S. Department of Justice seized four domains linked to a cybercrime group that helped criminals hide their malware from security software. This action was part of a global operation involving multiple countries, aiming to disrupt cybercrime activities. The seized domains offered services that made malicious software difficult to detect, allowing unauthorized access to computer systems.

🇩🇪 German authorities have identified Vitaly Nikolaevich Kovalev as the leader of the TrickBot cybercrime gang — The group, active since 2016, has infected millions of computers and extorted victims for hundreds of millions of dollars. Kovalev is also linked to the Conti group [DE] and is believed to have made over $500 million from his illegal activities.

➝ More:

• U.S. Offering $10 Million Reward for RedLine Malware Developer

• U.S. DOJ seizes $7.7M from crypto funds linked to North Korea’s IT worker scheme

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests. Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇪🇺 Microsoft has launched a free European Security Program to enhance cybersecurity for EU governments — The program focuses on countering attacks from state-backed actors, particularly from Russia, China, Iran, and North Korea. It utilizes artificial intelligence for real-time threat detection and aims to strengthen partnerships to combat cybercrime.

🇩🇪 💰 Germany's data protection authority fined Vodafone GmbH $51 million for privacy and security violations. The fines were due to fraudulent activities by employees at partner agencies and vulnerabilities in Vodafone's authentication systems. Vodafone has cooperated with the investigation and made updates to prevent future issues.

🇬🇧 The UK's 2025 Strategic Defence Review plans to enhance military operations by integrating cyber, AI, and digital capabilities. This marks a shift in acknowledging the importance of cyberwarfare, as the UK has previously denied engaging in offensive cyber actions. The review aims to create a unified CyberEM command to coordinate military efforts and improve response strategies in the face of modern threats.

🇺🇸 Experts have endorsed Sean Cairncross for the position of national cyber director before his Senate hearing. The endorsement comes from 24 cyber professionals, including former government officials from both parties, highlighting his experience and ability to address national security challenges. Cairncross, who has less cyber experience than his predecessors, is praised for his skills in public service and coalition-building.

⚖️ 💰 NSO Group is asking a judge to reduce a $167 million damages ruling from a jury in favor of WhatsApp, calling it excessive and unfair. They argue that the amount exceeds legal limits and shows bias against their business practices. WhatsApp plans to continue fighting the case and seeks to stop NSO from targeting its platform again.

🇺🇸 President Trump's 2026 budget proposal plans to cut over 1,000 jobs from the Cybersecurity and Infrastructure Security Agency (CISA) and reduce its budget by $495 million. The cuts aim to streamline operations and focus on critical infrastructure security, but there are bipartisan concerns about the impact of these reductions. Other federal cybersecurity programs would also face budget cuts under this proposal.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

📺 The FBI warns that the BADBOX 2.0 malware has infected over 1 million Internet-connected devices, turning them into tools for cybercriminals. This malware is often found on cheap Android devices like smart TVs and tablets, which can come preloaded with it or become infected through malicious apps. Consumers are advised to check their devices for suspicious activity and avoid downloading apps from unofficial sources.

🎠 A new malware called Chaos RAT targets both Windows and Linux systems by tricking users into downloading fake network tools. It allows hackers to control infected machines and has been linked to cryptocurrency mining campaigns. Researchers warn that open-source tools like Chaos RAT can be easily misused, making it difficult to trace the attackers.

💎 Two malicious RubyGems packages pretending to be Fastlane plugins are stealing sensitive data from Telegram users by redirecting API requests to attacker-controlled servers. These packages can intercept chat IDs, message content, and bot tokens, posing a significant risk to developers. Users are advised to remove the malicious gems and rotate any compromised bot tokens immediately.

🎠 📲 The Android banking trojan Crocodilus is now actively targeting users in eight countries, including those in Europe and South America. It uses advanced techniques to avoid detection and can steal information from banking and crypto wallet apps. The malware's campaigns continue to evolve, posing a growing global threat to users.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

💔 Google's Chrome browser will stop trusting certificates from two certificate authorities, Chunghwa Telecom and Netlock, due to concerning compliance issues. These authorities are important for web security as they certify the authenticity of websites. Chrome's security team stated that their lack of progress and compliance failures have led to a loss of trust.

🦊 Mozilla has launched a new security feature to detect and block malicious Firefox add-ons that steal cryptocurrency. This system evaluates risk profiles for wallet extensions and alerts human reviewers if a potential threat is identified. By removing these harmful extensions quickly, Mozilla aims to protect users.

🔗 Partners and Affiliates

⚡️ Unlock Your Peak Performance – First Month FREE!

Optimize your sleep, recovery, and performance with WHOOP. Perfect for cybersecurity pros who need to stay focused and ahead of the threat. Try it out, get a free WHOOP 4.0 and one month free.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Google Released Out-of-band Fixes To Address 3 Security Issues In Its Chrome Browser

• Over 30 Vulnerabilities Patched in Android

• Cisco Patches Critical ISE Vulnerability With Public PoC

• HPE Patches Critical Vulnerability in StoreOnce

• Qualcomm Fixes 3 Zero-Days Used in Targeted Android Attacks via Adreno GPU

🇫🇮 🚀 Mikko Hypponen has left the anti-malware industry to become Chief Research Officer at Sensofusion, a Finnish company that focuses on anti-drone technology. He has over 30 years of experience in cybersecurity, previously working at F-Secure and WithSecure. Hypponen believes that fighting drones is similar to combating malware, as both involve detecting hidden threats.

🐛 A critical vulnerability in Cisco IOS XE, tracked as CVE-2025-20188, allows remote code execution through a flaw in the Out-of-Band Access Point feature. This bug, affecting several Catalyst wireless controllers, can be exploited without authentication by sending crafted HTTPS requests. Cisco has released patches, and users are urged to upgrade their software or disable the vulnerable feature.

🛰️ ICS, OT & IoT

🇷🇺 🇺🇦 Russia is targeting Ukraine's critical infrastructure with a new malware called PathWiper, which destroys data. This attack follows previous wiper attacks linked to Russia, including HermeticWiper and others. PathWiper corrupts important system files and uses legitimate tools to carry out its malicious actions.

☀️ Researchers found that about 35,000 solar power systems are exposed to the internet, making them vulnerable to hacking. Many of these systems have known security flaws, and some have already been exploited by botnets. While not all exposed devices can be hacked, their vulnerabilities could still pose risks to electrical grids.

🗒️ Honeywell's 2025 Cybersecurity Threat Report reveals a significant rise in ransomware and malware attacks in the industrial sector, particularly affecting operational technology (OT) systems. The report highlights a staggering 3,000% increase in Ramnit infections in late 2024, suggesting it may be used to steal control system credentials. This trend raises concerns about whether these attacks are targeted or simply effective at extracting sensitive information.

🐛 🔓 Over 1,000 industrial monitoring devices by Instantel may be vulnerable to remote hacking due to a serious security flaw. This vulnerability allows attackers to execute commands, potentially disrupting operations and compromising data integrity. Instantel is working on a fix, and users are advised to restrict access to these devices until a patch is available.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.