🕵🏻‍♂️ [InfoSec MASHUP] 28/2025

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 🍟 A data leak in McDonald’s chatbot recruitment platform exposed personal information from over 64 million job applicants. Security researchers found that default login credentials and an insecure API allowed access to sensitive data, including names, addresses, and contact information. McDonald's and the platform's developer, Paradox.ai, quickly fixed the vulnerabilities after being notified.

🇬🇧 Four people have been arrested in connection with cyber attacks on M&S and the Co-op. The suspects, aged 17 to 20, are accused of crimes including blackmail and money laundering. These attacks caused major disruptions for the retailers, with M&S estimating losses of £300 million.

🇬🇧 Marks & Spencer's chairman, Archie Norman, would not confirm if the company paid hackers after a ransomware attack. He mentioned that discussing details about the incident is not in the public interest due to law enforcement matters. The attack, attributed to the DragonForce hacking group, resulted in stolen customer data and disrupted the company's operations for weeks.

💸 Bitcoin Depot, a Bitcoin ATM operator, has reported a data breach affecting nearly 27,000 users. Sensitive information, such as names, phone numbers, and addresses, was exposed after suspicious activity was detected last year. Customers are advised to monitor for fraud but are not being offered identity protection services.

🇯🇵 🇺🇸 Nippon Steel Solutions reported a data breach caused by a zero-day vulnerability that allowed hackers to access sensitive information about customers, partners, and employees. The company has not found evidence of a data leak on the dark web, despite the breach. Additionally, the notorious ransomware group BianLian previously claimed to have stolen data from Nippon Steel USA, but it's unclear if the two incidents are connected.

🇨🇦 ⚡️ Nova Scotia Power, a Canadian electric utility, experienced a cyberattack that disrupted communication between its power meters and company systems. Although there were no power outages, the attack led to customer billing delays, with many receiving estimated bills. About 280,000 customers, including some in the U.S., had their personal information compromised in the ransomware breach.

🇺🇸 Ingram Micro, a major technology distributor, is experiencing an outage due to a ransomware attack that started last Thursday. The attack has disrupted software licensing, affecting customers' ability to use certain products. The company is working to restore its systems and has informed shareholders about the breach.

➝ More breaches:

• Qantas confirms data breach impacts 5.7 million customers

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign (July 2 - August 13)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇨🇳 🇺🇸 Chinese hackers are suspected of breaching the email accounts of attorneys at the Washington DC law firm Wiley Rein to gather intelligence. The hackers are believed to be linked to the Chinese government and have targeted information related to trade and US government agencies. Wiley Rein is investigating the breach and has notified law enforcement.

🇫🇷 🇷🇺 🇺🇸 French police arrested Russian basketball player Daniil Kasatkin in Paris at the request of the United States, suspecting him of being involved in a ransomware ring. His lawyer claims he is innocent and knows nothing about computers. This arrest is part of a trend where European authorities are detaining individuals on behalf of the U.S. for cybercrime-related accusations.

🇺🇸 🇰🇵 ⚖️ The U.S. Treasury sanctioned a North Korean hacker, Song Kum Hyok, for his role in a scheme that used fake identities to hire remote IT workers. This fraudulent operation is part of a larger effort by North Korea to fund its weapons programs through cybercrimes. The sanctions also target a Russian national and companies involved in facilitating this illicit activity.

🇮🇹 🇺🇸 🇨🇳 Italian authorities arrested Xu Zewei (the arrest came at the request of the United States), a Chinese national, for his role in the Microsoft Exchange Server hack that targeted COVID-19 researchers. He is accused of hacking and stealing sensitive information at the direction of the Chinese government. This arrest highlights ongoing efforts to address cybercrimes, although experts believe it may not significantly deter future hacking activities.

🕸️ Scattered Spider, a sophisticated cyber threat group known for aggressive social engineering and targeted phishing, is broadening its scope, notably targeting aviation alongside enterprise environments. Check Point Research has uncovered specific phishing domain indicators, helping enterprises and aviation companies proactively defend against this emerging threat.

➝ UK Charges Four in ‘Scattered Spider’ Ransom Group

🇧🇷 Police in Brazil arrested João Roque, an employee of C&M, for his role in a cyberattack that stole around $100 million from the country's banking systems. The hackers targeted the PIX payment system, affecting financial institutions but not individual clients. Authorities are investigating the attack and have frozen assets linked to the scheme while C&M is cooperating with the investigation.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests. Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇨🇳 🇪🇺 TikTok is under investigation in the European Union for transferring user data to China. This inquiry follows a previous fine of 530 million euros for risking user privacy. TikTok has started a project to build data centers in Europe to address security concerns.

🇺🇸 Experts warn that a recent Republican health care bill will harm cybersecurity in the sector, especially for rural hospitals already facing budget issues. Cuts to Medicaid and other programs may lead to reduced funding for cybersecurity measures, putting patient data at risk. Witnesses at a Senate hearing urged lawmakers to restore federal support and coordination for health care cybersecurity efforts.

🇺🇸 👨🏻‍⚖️ A U.S. appeals court has allowed El Salvadoran journalists to continue their lawsuit against the spyware maker NSO Group. The court found that a lower court wrongly dismissed the case, which will now proceed in California. Lawyers for the journalists are hopeful for justice against companies that harm reporters with spyware.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🍎 Cybersecurity researchers found a new variant of the ZuRu malware that targets macOS users by disguising itself as the legitimate Termius app. This malware uses modified versions of known software to gain remote control of infected computers. The attackers adapt their techniques to avoid detection while continuing to exploit users seeking legitimate applications.

🎠 📲 A new Android banking Trojan named Anatsa has infected 90,000 users by disguising itself as a PDF app on the Google Play Store. Once downloaded, it displays fake messages about banking service interruptions to steal users' credentials. Researchers warn that this malware targets a wide range of banking apps and has a history of successfully deceiving users in North America.

🚪 🍎 A new version of the Atomic macOS info-stealer includes a backdoor that gives attackers long-term access to infected systems. This malware can execute remote commands and survives system reboots, affecting users in over 120 countries. It is primarily targeting macOS users through phishing and other sophisticated methods.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

📺 fwd:cloudsec North America 2025 videos are now online!

🐛 A serious vulnerability has been found in the mcp-remote project, allowing attackers to execute commands on affected systems. This flaw, tracked as CVE-2025-6514, affects versions 0.0.5 to 0.1.15 and poses a risk to over 437,000 downloads. Users are urged to update to the latest version and only connect to trusted servers to avoid exploitation.

🧩 Nearly 1 million browsers have been turned into website-scraping bots by 245 browser extensions that bypass security protections. These extensions, which have been downloaded almost 909,000 times, perform various tasks but share a common link to a monetization library. They work with a company called Olostep to scrape websites for paying customers, including advertisers.

🇺🇸 🫣 The U.S. State Department has warned diplomats about an impostor using AI to impersonate Secretary of State Marco Rubio and contact various officials. Although the scam attempts were not successful, the department is taking the situation seriously and improving cybersecurity measures. This incident highlights the growing threat of AI misuse for deception among government officials.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Adobe fixed 58 security bugs in 13 products, including three critical flaws that could let hackers run harmful code

• Microsoft July 2025 Patch Tuesday fixes one zero-day, 137 flaws

• SAP Patches Critical Flaws That Could Allow Remote Code Execution, Full System Takeover

🚙 Not So Perfect — Researchers found serious vulnerabilities in a widely used Bluetooth system that could allow hackers to remotely access millions of cars. This attack, called PerfektBlue, can enable hackers to track a vehicle, record audio, and potentially control critical functions. Patches have been released to fix these issues, but users need to be cautious, as the attack can often be initiated with just one click.

📱 A new hacking method can clone eSIMs and spy on mobile communications, posing serious security risks. The vulnerabilities were found in Kigen's eUICC cards but may affect other vendors due to flaws in Oracle's Java Card technology. Attackers could exploit these issues to access sensitive data and even disrupt eSIM functionality.

☁️ 🧱 The Azure Front Door Web Application Firewall (WAF) has a security flaw that allows users to bypass IP restrictions by using the X-Forwarded-For header. This issue arises because the default setting, RemoteAddr, matches the value of this header instead of the actual connecting IP address. To secure your WAF, it is crucial to configure it to use the SocketAddr variable instead.

🐛 A new vulnerability in ServiceNow, called Count(er) Strike, allows low-privileged users to access sensitive data they shouldn't see. The flaw arises from misconfigured access controls that let users retrieve partial data, like record counts, even if they fail to meet stricter access conditions. ServiceNow has released updates to fix this issue, but users should still check their settings to ensure data is adequately protected.

🩹 The Git project has released updates to fix seven security vulnerabilities affecting all previous versions of Git. These vulnerabilities could allow attackers to execute arbitrary code in certain situations. Users are advised to upgrade to Git 2.50.1 and avoid using untrusted repositories to enhance security.

🩸 Security researchers have released exploit code for a critical vulnerability in Citrix NetScaler, known as CVE-2025-5777, which could allow attackers to read sensitive memory data. Citrix has urged users to update their systems, as over 50,000 instances may be affected. Despite Citrix's claims that there is no evidence of active exploitation, security firms have demonstrated how the flaw can be exploited through incorrect login requests.

🛰️ ICS, OT & IoT

🐛 🩹 Siemens, Schneider Electric, and Phoenix Contact released security advisories addressing multiple vulnerabilities in their industrial control systems. Siemens highlighted critical and high-severity flaws in several products, while Schneider Electric warned of serious issues in EcoStruxure IT Data Center Expert. Phoenix Contact also reported critical vulnerabilities in PLCnext firmware and EV charging controllers, prompting organizations to update their systems.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.