🕵🏻‍♂️ [InfoSec MASHUP] 41/2025

🔓 BREACHES & SECURITY INCIDENTS

🔥 🧱 SonicWall says attackers used a brute-force attack to access every customer firewall configuration stored in its cloud backup service. The breach exposed sensitive data like firewall rules, encrypted credentials, and routing settings. SonicWall is working with Mandiant, notifying customers, and urging them to check for exposure.

🇮🇳 A security flaw in India’s income tax e-Filing portal let logged-in users view other taxpayers’ personal and financial data — The exposed information included names, addresses, phone numbers, bank details and Aadhaar numbers. Officials fixed the bug after researchers reported it, but it’s unclear how many were affected.

🇺🇸 Florida-based public safety communications firm BK Technologies said its IT systems were hacked and intruders stole non-public data. The company found the breach on September 20, removed the attacker, and reported only minor disruptions to noncritical systems. BK Technologies expects no material financial impact and says much of the remediation cost is covered by insurance.

🇺🇸 Florida-based Doctors Imaging Group revealed that a November 2024 cyberattack exposed sensitive medical, financial, and ID data for 171,862 patients. The company finished its investigation in late August and notified affected individuals and authorities. It urged patients to check statements and consider fraud alerts but did not offer paid credit monitoring.

💬 Discord says hackers stole user data from a third-party customer support provider, not from Discord’s own systems. Affected data includes names, emails, messages with support, billing details, IPs, and some government ID images for age appeals, but not passwords or Discord activity. Discord is notifying users, working with forensics and law enforcement, and has cut the provider’s access.

→ Discord says hackers stole government IDs of 70,000 users

🇺🇸 🇪🇺 Electronics distributor Avnet confirmed a data breach after unauthorized access to an EMEA sales tool's cloud storage. Avnet says most stolen data is unreadable without its proprietary sales tool, though a hacker posted readable samples and claims 1.3TB compressed was taken. The company is investigating, rotating secrets, notifying authorities, and will contact affected customers and suppliers.

→ More breaches:

• Data Breach at Doctors Imaging Group Impacts 171,000 People

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🦕 Hackers have started using the Velociraptor DFIR tool to maintain access and deploy LockBit and Babuk ransomware. Cisco Talos links the campaigns to a China-based group called Storm-2603 that used an outdated Velociraptor with a privilege-escalation flaw. Attackers exfiltrated data for double extortion, disabled defenses, and used fileless PowerShell and scheduled tasks to persist and encrypt systems.

🇺🇸 🇫🇷 The FBI and French authorities seized the BreachForums domains and back-end servers, taking control of backups and nameservers. ShinyHunters confirmed the takeover but said no core admins were arrested and vowed not to relaunch the forum. The gang still claims it will leak Salesforce-related data from over a billion stolen records via a dark web site.

🔓 The Cl0p ransomware group stole data from Oracle E-Business Suite customers and sent extortion emails. Oracle confirmed attackers used a critical zero-day (CVE-2025-61882) plus earlier patched flaws to get remote code execution. Oracle released patches and IoCs and experts warn other groups may quickly reuse these vulnerabilities.

🇬🇧 👶🏻 London police arrested two 17-year-olds over the doxing of children after a ransomware attack on Kido nurseries. Hackers claiming to be the Radiant Group stole and leaked photos and addresses of over 1,000 children to extort the chain. Authorities say the suspects face computer misuse and blackmail charges and the investigation is ongoing.

🇯🇵 🍺 Qilin ransomware says it attacked Japan’s Asahi, disrupting orders, shipments, and call centers. Asahi confirmed ransomware and said data was stolen, while Qilin published screenshots and claims 27 GB of files. It’s unclear if Asahi paid or what personal data was exposed, and the company has not given full details.

📋 The hacker group called ShinyHunters (linked with Scattered LAPSUS$) is extorting dozens of companies and threatening to publish stolen Salesforce, Red Hat, and Discord data unless ransoms are paid. They posted victim lists and claimed breaches that include GitLab repositories and customer support records, and they distributed malware to intimidate security researchers. Law enforcement and companies like Salesforce are investigating, warning customers, and refusing to pay while patches and forensic work continue.

→ Salesforce refuses to pay ransom over widespread data theft attacks

🇺🇸 Microsoft says the Storm-1175 cybercrime group exploited a zero-day in GoAnywhere MFT to run multi-stage attacks and deploy Medusa ransomware. Researchers observed activity from Sept. 11 and other firms and U.S. authorities confirm active exploitation. Fortra has not answered questions about how the vulnerability was accessed or how many customers were affected.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇮🇱 🤝🏼 🇺🇸 Israeli spyware maker NSO Group says a U.S. investment group has bought controlling ownership for tens of millions of dollars. The company says it will stay headquartered and regulated in Israel. Critics worry U.S. ownership could enable NSO to push its controversial hacking tools closer to American users.

🇪🇺 👀 EU lawmakers may vote on a proposal called Chat Control that would force apps to scan messages on users’ devices — Tech companies and privacy experts say this would break end-to-end encryption and harm privacy for journalists, activists, and victims. Critics warn it could weaken security worldwide and push companies to leave the EU.

→ German government says it will oppose EU mass-scanning proposal

🇮🇱 🇮🇷 Researchers at Citizen Lab say a network of social media accounts, likely tied to Israel, used AI-generated videos and deepfakes to push anti-government messages in Iran. The PRISONBREAK campaign posted during real attacks, including an AI video about an Evin Prison strike that fooled some news outlets. Researchers suspect Israeli government agencies or contractors ran the operation to try to incite unrest.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🎣 👀 A new Android spyware campaign called ClayRat tricks users into installing fake apps like WhatsApp, TikTok, and YouTube from phishing sites and Telegram channels. Once installed, ClayRat steals messages, call logs, notifications, photos, and device data, and can send messages or calls while spreading itself to all contacts. Researchers found hundreds of samples and warn the malware hides its payload to bypass Android protections and rapidly expand its reach.

🇻🇳 🧛🏻‍♂️ Vietnamese-linked group BatShadow lures job seekers and marketers with fake job documents to deliver a new Go-based malware called Vampire Bot. The attack uses disguised ZIPs, LNK/EXE files, and social-engineered browser tricks to make victims download a malicious payload. Vampire Bot can profile systems, steal data, take screenshots, and connect to an attacker server for further commands.

🎣 🪱 XWorm, a modular remote access trojan first seen in 2022, has resurfaced in new variants (6.0, 6.4, 6.5) and is spreading via phishing and other lures. It now supports over 35 plugins, including data stealers, remote desktop tools, and a ransomware module that encrypts user files and demands payment. Researchers warn the malware is widely adopted by multiple threat actors.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🔙 🚪 Researchers found that large language models can pick up backdoors from as few as 250 malicious documents in their training data. This means attackers could subtly influence an AI's responses by inserting a small number of corrupted files. The result held across model sizes, from 600 million to 13 billion parameters.

🩹 Google DeepMind unveiled CodeMender, an AI agent that finds and patches software vulnerabilities — It uses advanced program analysis and multi-agent models to rewrite code and avoid regressions. DeepMind says CodeMender has given 72 fixes to open-source projects, with all patches reviewed before submission.

🛠️ OpenAI says threat actors use its AI to speed up and scale familiar hacking and scam methods, not create new ones — Researchers found clusters tied to China, North Korea, and organized crime using models for phishing, malware development, influence operations, and scam management. OpenAI also notes many users use the tool to spot scams, and that borderline “dual-use” requests make moderation and threat analysis hard.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Juniper Networks Patches Critical Junos Space Vulnerabilities

• ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities

💰 🍎 Apple raised top bug-bounty payouts to $2 million for complex zero-click exploit chains and may pay up to $5 million with bonuses. The company has paid over $35 million to 800+ researchers since 2020 and boosted many reward tiers across devices. New Target Flags and other changes aim to make payouts more transparent and encourage more vulnerability reports.

📈 Security firm GreyNoise reported a nearly 500% spike in scans targeting Palo Alto Networks login portals on October 3, 2025. About 1,300 IPs—mostly from the U.S.—were involved, with 93% labeled suspicious and 7% malicious. The activity mirrors recent Cisco ASA scans and could precede related vulnerabilities or exploits.

🗓️ Researchers warn the Year 2036/2038 time rollovers are exploitable vulnerabilities today, not just future date bugs. Attackers can manipulate clocks (GPS, NTP, file timestamps) to trigger crashes, bypass security, or corrupt critical systems. Fixing them is hard because many devices are embedded and need deep changes, so urgent prioritization and patching are required.

😱 A critical 13-year-old vulnerability in Redis (CVE-2025-49844) lets attackers run code and could affect about 60,000 unauthenticated servers exposed to the internet. Redis released patches and urges admins to update, restrict network access, enable authentication, and disable Lua for untrusted users. No known widespread exploitation yet, but exposed instances risk data theft, malware, and lateral movement.

💰 ☁️ Wiz launched Zeroday.Cloud, a cloud hacking contest with $4.5 million in prizes and live demos at Black Hat Europe in December. Major cloud providers (AWS, Google Cloud, Microsoft) back it, and rewards target exploits across AI, Kubernetes, containers, web servers, databases, and DevOps tools. Trend Micro’s ZDI accused Wiz of copying parts of its Pwn2Own rules.

🛰️ ICS, OT & IoT

🕸️ 💥 Aisuru is a massive IoT botnet launching record-breaking DDoS attacks that recently peaked near 30 trillion bits per second. Most infected devices are on U.S. ISPs, causing severe outbound traffic and collateral disruption for networks and gaming services. The botnet reuses Mirai code, is rented out as residential proxies, and its operators sell access while avoiding attribution.

🕸️ RondoDox is a new botnet that attacks many devices using a "shotgun" of over 50 exploits — It targets routers, cameras, DVRs, servers and other network gear from more than 30 vendors and spreads via weak credentials and old bugs. Infected devices are used for crypto mining, DDoS, and enterprise intrusions while the botnet rapidly rotates infrastructure to avoid detection.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.