- X’s InfoSec Newsletter
- Posts
- 🕵🏻♂️ [InfoSec MASHUP] 26/2025
🕵🏻♂️ [InfoSec MASHUP] 26/2025
The U.S. Department of Homeland Security has warned about increased cyberattack risks from Iranian hacking groups; Hackers linked to the Chinese government exploited a serious vulnerability in a Canadian telecom provider; A Russian court released four members of the REvil ransomware gang after they served their time; The U.S. House of Representatives has banned WhatsApp on staff devices; New malware called SparkKitty was discovered in apps on Google Play and the Apple App Store;
Xavier Santolaria
June 28, 2025 • Estimated Reading Time: 13 minutes
We now have 1,642 subscribers! Thank you all for being part of my newsletter. Please share it with your friends and colleagues, and let’s keep growing the community.
Let’s now dive into this week’s top insights! 🚀
Table of Contents
🔓 BREACHES & SECURITY INCIDENTS
🇺🇸 ✈️ Hawaiian Airlines is investigating a cyberattack that disrupted some of its IT systems, but flight safety and schedules have not been affected. The airline has contacted authorities and hired cybersecurity experts to help with the investigation and recovery. They are focused on ensuring the safety and security of their guests and employees during this incident.
🇺🇸 Mainline Health and Select Medical have reported data breaches affecting over 100,000 people each. Mainline Health's breach involved a network attack that stole sensitive information, while Select Medical's data was exposed through a security incident with a former vendor. Both incidents highlight the ongoing vulnerability of the healthcare sector to cyberattacks.
🇮🇷 🇸🇦 A pro-Iranian hacktivist group called Cyber Fattah leaked thousands of personal records from the 2024 Saudi Games, targeting athletes and visitors' information. The breach was part of a larger cyber operation linked to Iran's ongoing tensions with the U.S., Israel, and Saudi Arabia. This incident highlights the growing trend of cyber warfare in the Middle East, where hacktivist groups collaborate to advance their ideological goals.
🇺🇸 McLaren Health Care has informed 743,000 patients about a data breach caused by a ransomware attack in July 2024. The breach was discovered on August 5, 2024, but investigations to determine the impacted individuals were only completed in May 2025. This incident marks McLaren's second major data breach in recent years, following a previous attack in July 2023.
🇺🇸 Nucor, the largest steel producer in North America, confirmed that hackers stole data during a recent cybersecurity breach. The company temporarily halted production and took down some systems to contain the incident while notifying law enforcement and hiring cybersecurity experts. Nucor has restored access to its systems and believes the attackers no longer have access to its network.
🇬🇧 Oxford City Council experienced a data breach that exposed personal information from its legacy systems, affecting data from 2001 to 2022. The council has notified those impacted and is working to improve security measures. So far, there is no evidence that citizen data was compromised in the breach.
➝ More breaches:
🔗 Partners and Affiliates
🔐 NordVPN Threat Protection Pro™ Campaign (July 2 - August 13)
With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.
Special Offer: get up to 73% off with a 2-year plan!
🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s
🇺🇸 ⚖️ A Kansas City man named Nicholas Michael Kloster pleaded guilty to hacking multiple organizations to promote his cybersecurity services. He accessed systems illegally, including a gym and a non-profit, and made unauthorized changes like altering passwords. Kloster faces up to five years in prison and must pay restitution to his victims.
🇬🇧 🇫🇷 🇺🇸 A 25-year-old British man named Kai West, suspected of being the hacker IntelBroker, has been arrested in France and charged by the U.S. Justice Department. He is accused of stealing data from over 40 companies and selling it for over $2 million, causing damages exceeding $25 million. West faces significant prison time if extradited to the U.S., where he is linked to various cybercrimes.
🇨🇳 A Chinese APT group has created a network of over 1,000 hacked routers for espionage, targeting industries in the US and Southeast Asia. They use a backdoor called ShortLeash to maintain long-term access to these devices, which are mainly vulnerable Ruckus Wireless and Buffalo Technology routers. The campaign, named LapDogs, began in September 2023 and is linked to another network called PolarEdge.
🇷🇺 🇺🇦 The Russian hacking group APT28 is using Signal chats to launch malware attacks on Ukrainian government targets with new malware called BeardShell and SlimAgent. These attacks involve sending malicious documents through Signal, which is not a security flaw in the app itself. APT28 has a history of cyberespionage against Ukraine and has been linked to various cyberattacks using advanced techniques.
🇨🇳 🇨🇦 Hackers linked to the Chinese government exploited a serious vulnerability in a Canadian telecom provider. This flaw had been known and patched 16 months earlier. The group responsible, called Salt Typhoon, is known for hacking on behalf of China.
🇷🇺 ⚖️ A Russian court released four members of the REvil ransomware gang after they served their time in pretrial detention. The men were found guilty of crimes targeting American victims and had their luxury items seized. Cooperation between the U.S. and Russia on cybercrime cases has stalled due to rising tensions over the war in Ukraine.
🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests. Thanks! 😉
👨🏻⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY
💘 ⚖️ Bumble's new AI Icebreakers feature uses users' personal data without their consent, violating EU data protection laws. The company claims it has a "legitimate interest" to use this data, but many argue it's misleading and creates a false sense of control over personal information. As a result, noyb has filed a complaint with the Austrian data protection authority to address these issues.
🇺🇸 🇮🇳 Go public! The U.S. Embassy in India now requires applicants for certain visas to make their social media accounts public. This new rule helps officials verify applicants' identities and eligibility for entry into the U.S. Failure to comply may lead to visa application rejection.
🇺🇸 💬 The U.S. House of Representatives has banned WhatsApp on staff devices due to security concerns. A memo cited risks related to user data protection and encryption. Staff are advised to use safer alternatives like Signal and iMessage instead.
🔗 Partners and Affiliates
🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.
🦠 MALWARE & THREATS
🇰🇵 North Korean hackers are targeting job seekers with fake interviews and malicious npm packages, which can infect their devices with malware. These 35 packages, disguised as legitimate libraries, have been downloaded over 4,000 times and can steal sensitive information. Developers should be cautious of job offers and always run unknown code in safe environments.
🫣 Hackers are exploiting ConnectWise applications to hide malware using a technique called Authenticode stuffing. This allows them to modify legitimate software without triggering security checks, making it difficult for users to detect the malicious code. Since March 2025, there has been a rise in these attacks, which can disguise the modified software as harmless programs.
💸 The Prometei botnet, which targets Windows and Linux systems for cryptocurrency mining, has seen a rise in activity as a new variant emerges. This updated malware includes features like a backdoor, self-updating capabilities, and methods for evading detection. While its main goal is to mine Monero, it can also steal credentials and deploy additional malware.
✨ 🐱 A new malware called SparkKitty was discovered in apps on Google Play and the Apple App Store, stealing photos and targeting cryptocurrency wallet recovery phrases. This malware can access and upload images from infected devices, posing a risk for users who store sensitive information on their phones. Experts advise against saving wallet recovery phrases on mobile devices and recommend keeping them in a secure, offline location.
🤖 🧰 AI, CRYPTO, TECH & TOOLS
🔓 A new AI jailbreak called Echo Chamber can easily manipulate language models to produce harmful content by cleverly steering the conversation while avoiding prohibited topics. This method has shown a high success rate in generating harmful outputs like misinformation and hate speech with minimal technical skill required. Experts warn that the widespread use of such jailbreaks poses significant risks for AI-generated content.
🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE
➝ From the Patching Department:
🧨 Citrix announced a serious zero-day vulnerability (CVE-2025-6543) that is being actively exploited in its NetScaler products. This vulnerability allows attackers to potentially gain control and cause service disruptions. Security experts are questioning Citrix's assessment of the threat and the timing of the disclosure, given recent related vulnerabilities.
🌍 Cybercriminals are targeting Africa's financial sector using open-source tools to gain access to networks and sell that access on the dark web. They disguise their malicious software as legitimate applications to avoid detection.
Figure: How the threat actor used PsExec, Chisel, PoshC2 and Classroom Spy as part of their attack playbook/Palo Alto Network Unit42
📧 Hackers are targeting over 70 Microsoft Exchange servers worldwide to steal user credentials by injecting keylogger code into login pages. These attacks exploit known vulnerabilities in the servers and have affected various sectors, including government and banking. Many compromised servers remain vulnerable, allowing attackers to capture sensitive data without being detected.
🇺🇸 🇮🇷 The U.S. Department of Homeland Security has warned about increased cyberattack risks from Iranian hacking groups due to the ongoing conflict. They noted that low-level cyberattacks could target U.S. networks, and there is a concern about potential violent responses from extremists. Previous incidents show that Iranian hackers have targeted various sectors in the U.S., including healthcare and government.
🛰️ ICS, OT & IoT
🦠 Siemens has alerted customers about an issue with Microsoft Defender Antivirus affecting its Simatic PCS products. The antivirus does not provide an 'alert only' option, which means it may not notify operators when malware is detected. Siemens recommends that plant managers assess risks and adjust their antivirus settings to prevent disruptions.
💬 CONNECT
Follow me on Mastodon for quick daily updates and bite-sized content.
Prefer using an RSS feed? Add Infosec MASHUP to your feed here.
Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.
Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58
See you next time!
-X.
Reply