🕵🏻‍♂️ [InfoSec MASHUP] 42/2025

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 F5 Networks says government-backed hackers had long-term access to its systems and stole source code and customer data. The company patched vulnerabilities and believes containment was successful but warned customers to update systems. U.S. agencies urged emergency fixes as the breach could let attackers exploit F5 devices.

→ CISA warns of imminent risk posed by thousands of F5 products in federal agencies

🇺🇸 Harvard is investigating a data breach after the Clop ransomware gang put the university on its leak site. The gang says the breach used a new Oracle E-Business Suite zero-day (CVE-2025-61882), which Oracle patched. Harvard says the issue affected a small admin unit and it has no evidence of wider compromise.

🇪🇸 👗 Spanish fashion retailer MANGO warned customers that a marketing vendor suffered a data breach exposing names, countries, postal codes, emails, and phone numbers. The company said last names, payment data, IDs, and account credentials were not exposed and its own systems were unaffected. MANGO notified authorities and set up a support email and hotline for affected customers.

❌ Customer service firm 5CA denies responsibility for a recent Discord data breach and says its systems were not hacked. Discord reported that some user data, including messages and limited billing info, may have been exposed and blamed a third-party customer service system. Hackers claim to have many ID photos, but Discord says only about 70,000 government IDs were affected.

🇻🇳 ✈️ Vietnam Airlines suffered a cyberattack that breached its Salesforce CRM and exposed data for about 7.3 million passengers. The stolen records, spanning 2020–2025, include names, birthdates, phone numbers, emails, addresses, and loyalty details. The data appeared on dark web sites after extortion attempts, and Vietnam Airlines has not publicly responded.

🇺🇸 SimonMed Imaging suffered a ransomware attack that exposed data for over 1.2 million people. Hackers accessed systems from Jan 21 to Feb 5 and stole personal and medical records, including SSNs and insurance details. The Medusa group claimed the breach and demanded $1 million, and the stolen data could be leaked or sold.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇺🇸 ⚖️ 20-year-old Massachusetts man, Matthew Lane, was sentenced to four years in prison for a 2024 cyberattack on PowerSchool that exposed data on about 70 million students and teachers. PowerSchool paid a ransom and suffered over $14 million in losses; Lane must also pay nearly $14.1 million in restitution and a $25,000 fine. Prosecutors said the breach is the largest of U.S. schoolchildren’s data and warned Lane remains a threat.

🇺🇸 💸 Federal prosecutors seized $15 billion linked to a scam that used imprisoned people to trick victims into fake investments. Scammers faked months-long romantic relationships online to build trust. Victims were persuaded to send large amounts of bitcoin while workers were trafficked and forced to run the scheme.

🇪🇸 Spanish police arrested a 25-year-old Brazilian accused of running the "GXC Team" crime-as-a-service operation that sold phishing kits and Android malware. The service cloned bank and government websites and enabled attacks on dozens of institutions, causing millions in losses across multiple countries. Investigators seized devices, shut down Telegram channels, and are probing associates and financial records.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 Rep. Eric Swalwell demanded answers from acting CISA Director Madhu Gottumukkala about recent staff cuts and forced transfers. He says moving cybersecurity workers to DHS deportation efforts and layoffs undermines national security. Swalwell warned the cuts weaken CISA’s ability to respond to major cyber threats.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

📲 Researchers found a new Android attack called Pixnapping that can steal 2FA codes, messages, and location data in under 30 seconds. A malicious app with no permissions reads what other apps display by mapping screen pixels to characters. Google issued fixes, but researchers say modified attacks can still bypass them on some phones.

👹 Researchers say TA585 runs its own phishing and web-injection campaigns to deliver MonsterV2, a powerful RAT, stealer, and loader. MonsterV2 can steal data, hijack clipboards, run HVNC remote control, and download more malware while avoiding CIS countries. The malware is sold as a service, uses crypters and anti-analysis checks, and connects to C2 servers to receive commands.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🔐 Why Signal’s post-quantum makeover is an amazing engineering achievement — Quantum computers will one day break today’s encryption, threatening many online secrets. Most organizations haven’t upgraded because it’s costly and the timeline is uncertain. Signal’s team has now made the Signal Protocol fully resistant to quantum attacks, a major engineering win.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws

• Adobe Patches Critical Vulnerability in Connect Collaboration Suite

• High-Severity Vulnerabilities Patched by Fortinet and Ivanti

• SAP Patches Critical Vulnerabilities in NetWeaver, Print Service, SRM

🐛 🩹 Oracle issued an emergency patch for an E-Business Suite flaw (CVE-2025-61884) that can be exploited remotely without authentication. The bug can let attackers steal sensitive data and affects EBS 12.2.3–12.2.14. Administrators are urged to apply the out-of-band patch immediately.

🛰️ Researchers showed that with about $600 of consumer satellite gear you can intercept lots of unencrypted data from geostationary satellites — They captured phone calls, texts, internet traffic, and military and corporate information from many providers. The study warns that many organizations leave satellite links unencrypted and exposed.

🐛 Researchers found a flaw dubbed RMPocalypse that lets attackers overwrite 8 bytes in AMD’s Reverse Map Paging (RMP) during initialization. This single write can break SEV-SNP protections, letting attackers read or tamper with confidential VM memory. AMD, Microsoft, and vendors are issuing fixes and updates for affected EPYC platforms.

🇨🇳 👀 Researchers found a Chinese-linked group called Flax Typhoon turned a popular ArcGIS server feature into a hidden webshell — They used the software’s own extensions and backups to stay hidden and reinfect systems. The report warns that any trusted backend tool can be weaponized and must be treated as high risk.

🛰️ ICS, OT & IoT

🩹 ICS Patch Tuesday — Major ICS vendors — Siemens, Schneider Electric, Rockwell, ABB, Phoenix Contact, and Moxa — issued Patch Tuesday advisories fixing multiple security flaws in industrial and OT products. Siemens and Rockwell disclosed critical vulnerabilities that can allow remote attackers to steal credentials, access configurations, or take control of devices. Other fixes address high- and medium-severity issues including DoS, privilege escalation, command injection, and hardcoded keys.

🐛 Researchers found two critical CVSS 10.0 flaws in Red Lion Sixnet RTUs that let attackers run code as root. One bug bypasses authentication and the other executes arbitrary shell commands. Users should patch immediately, enable authentication, and block TCP access to affected devices.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.