🕵🏻‍♂️ [InfoSec MASHUP] 44/2025

🔓 BREACHES & SECURITY INCIDENTS

💌 Google says there was no Gmail data breach — Reported “183 million” accounts came from many old credential dumps and malware logs, not a single Gmail hack. Users should check for exposed passwords and change them if needed.

→ Cybercriminals Trade 183 Million Stolen Credentials on Telegram, Dark Forums

🤔 F5 says a nation-state attacker had long-term access to its systems but the overall impact was limited — Customers quickly applied emergency BIG-IP updates and only a small number had configuration data stolen. F5 is scanning code, working with security firms, and expects a short-term financial hit.

🇺🇸 Ribbon Communications says nation-state hackers breached its IT network, first gaining access as early as December 2024 and discovered in September 2025. The attackers accessed files on two customer laptops, but Ribbon has found no evidence of theft of material corporate data so far. The company is working with cybersecurity firms and federal authorities and is strengthening its network.

🇺🇸 Business services firm Conduent says a January 2025 breach exposed personal data of millions, including names, DOBs, Social Security numbers, and medical information. Attackers accessed its network from Oct 21, 2024 until they were evicted on Jan 13, 2025, and at least 4.5 million people appear affected. Conduent urged people to monitor credit and notified state attorneys, but is not offering free identity-protection services.

🇺🇸 🇯🇵 Dentsu says its U.S. subsidiary Merkle suffered a cyberattack that exposed staff and client data. They shut down some systems, reported the breach to authorities, and confirmed files were stolen. The company is investigating, notifying affected people, and expects some financial impact.

🇸🇪 Swedish state-owned grid operator Svenska kraftnät was hit by a cyberattack that led to a data breach. The company says the power grid and critical systems were not affected, but about 280 GB of data may have been stolen. The Everest ransomware group claims responsibility and is threatening to leak the data while authorities investigate.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇺🇦 🇺🇸 ⚖️ A Ukrainian man who fled to Ireland after Russia's invasion was extradited to the United States on charges tied to the Conti ransomware — He is accused of helping extort victims for over $500,000 in Tennessee and of participating in attacks that netted at least $150 million worldwide. He faces up to 25 years in prison if convicted.

🇺🇸 🇷🇺 An Australian executive, Peter Williams, pleaded guilty in the US for stealing cyber-exploit trade secrets from a defense contractor and selling them to a Russian broker. He stole at least eight exploits between 2022 and 2025, was paid in cryptocurrency, and spent the proceeds on luxury items. The US seeks forfeiture of $1.3 million and other assets, and Williams faces up to 20 years in prison.

🇷🇺 🇺🇦 Russian-linked hackers used living-off-the-land techniques and few malware tools to steal data and maintain access in Ukrainian organizations. They deployed web shells, PowerShell backdoors, scheduled tasks, and dual-use tools to stay stealthy and persistent. Intelligence links the activity to broader Russian cybercrime and state-aligned tactics shaping attacks on Ukraine.

🇹🇭 Myanmar’s army raided a major online scam center called KK Park near the Thai border and blew up parts of it. More than 1,500 people fled into Thailand last week, with a few dozen still crossing and sheltered while authorities check if they were trafficking victims. Many scam workers from dozens of countries are believed to have been forced to work there, and similar operations persist in the region.

🇨🇳 Security researchers link a China-associated group called the Smishing Triad to over 194,000 malicious domains used in global smishing campaigns. The attackers use fast-changing disposable domains and U.S. cloud hosting to impersonate services (USPS, banks, tolls, crypto) and steal credentials. Their phishing-as-a-service network has made over $1 billion and targets brokerage accounts, using accounts to manipulate markets.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🔔 👀 Amazon’s Ring is partnering with Flock, a company that runs AI surveillance cameras used by police and federal agencies — Agencies using Flock can request Ring users’ footage for investigations, expanding access to video and license-plate data. Critics warn the tech fuels racial bias and Ring has a history of poor video security.

→ Amazon Ring Cashes in on Techno-Authoritarianism and Mass Surveillance [EFF]

🇦🇺 🇺🇸 ⚖️ Australia’s consumer watchdog is suing Microsoft for allegedly misleading 2.7 million Microsoft 365 users into paying for Copilot. The ACCC says Microsoft hid the option to keep the old plan and made upgrades seem required, causing big price rises for many subscribers. The regulator seeks fines, injunctions, and compensation, and Microsoft says it is reviewing the claim.

🇺🇸 🇨🇳 National Cyber Director Sean Cairncross says the U.S. must counter China’s efforts to export surveillance technology. He wants the U.S. to promote a “clean American tech stack” and strengthen the national cyber office. Bolstering the office’s authority and sending a clearer signal to China are his first priorities.

🇪🇺 The EU says Facebook and Instagram broke Digital Services Act (DSA) rules on illegal content, moderation, and transparency. The Commission found Meta uses confusing interfaces and limits researcher access, and it flagged similar transparency breaches at TikTok. Both companies could face fines up to 6% of global revenue and may contest or fix the issues before a final ruling.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🎣 💬 Hackers are sending fake LinkedIn board invitations to finance executives to steal Microsoft login credentials. The scam uses redirects, CAPTCHA checks, and a fake Microsoft login page to capture passwords and cookies. Users should avoid unexpected LinkedIn links and verify senders before clicking.

🐍 ℹ️ Researchers found 10 malicious npm packages that delivered a multi-stage information stealer for Windows, macOS, and Linux. The packages used obfuscated code, fake CAPTCHAs, and postinstall hooks to download a PyInstaller stealer that snatched browser data, tokens, SSH keys, and system keyring credentials. Nearly 10,000 installs occurred after the typosquatted packages were uploaded in July 2025.

→ NPM flooded with malicious packages downloaded more than 86,000 times

⌨️ Herodotus is a new Android malware sold as a service that tricks users via smishing and abuses Accessibility permissions to control devices. It fakes human typing by adding random delays between 0.3 and 3 seconds to avoid behavior-based detection. Operators use it to steal credentials, intercept SMS codes, show fake overlays, and manage attacks from a control panel.

🕸️ The Aisuru botnet has shifted from huge DDoS attacks to renting infected IoT devices as residential proxies. These proxies let criminals hide scraping and fraud traffic by making it look like normal users. Experts warn this fuels large-scale data harvesting for AI and other abuse.

→ TurboMirai-Class ‘Aisuru’ Botnet Blamed for 20+ Tbps DDoS Attacks

🇷🇺 Kaspersky says it found a malware campaign called Operation ForumTroll targeting Russian institutions and tied to Memento Labs, the successor to Hacking Team. The attackers used a Chrome zero-day in personalized phishing links to infect victims and conduct espionage. Researchers also discovered a new commercial spyware product named Dante linked to Memento Labs.

💬 💳️ Attackers are using the RedTiger red-team tool to build an infostealer that steals Discord accounts and payment data. The malware also grabs browser passwords, crypto wallets, game files, screenshots, and system info. Stolen data is uploaded anonymously and sent to attackers, so users should avoid untrusted downloads, revoke tokens, change passwords, and enable MFA.

→ More:

• New 'CoPhish' technique wraps OAuth phishing in Microsoft Copilot

• New Atroposia malware comes with a local vulnerability scanner

• Researchers Expose GhostCall and GhostHire: BlueNoroff's New Malware Chains

• Massive surge of NFC relay malware steals Europeans’ credit cards

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🧰 🩹 OpenAI released Aardvark, a ChatGPT-5–powered model that scans code to find, test, and patch vulnerabilities — It prioritizes issues, suggests fixes for human review, and has found many bugs including ones with CVEs. The beta is invite-only now, with free scanning for noncommercial open-source repos.

🕵️‍♂️ Cisco released MCP Scanner, an open-source tool to find vulnerabilities in MCP servers used by AI agents. It checks tool definitions, metadata, and code with contextual and signature-based scans.

💬 🔐 WhatsApp now lets you unlock end-to-end encrypted backups with passkeys like fingerprint or face. This removes the need to remember a backup password or 64-character key. The feature will roll out to users in the coming weeks and can be enabled in Settings > Chats > Chat backup.

🔻 ☁️ Microsoft’s Azure cloud computing service experienced an hourslong outage that impacted workplace productivity software Microsoft 365 and workplace distractions Xbox and Minecraft. The company said the outage—which caused disruptions to businesses globally, including Alaska Airlines and Vodafone—was likely triggered by an “inadvertent configuration change”.

🐍 💰️ The Python Software Foundation withdrew a $1.5M NSF grant because the funding terms banned programs that advance diversity, equity, and inclusion. PSF said DEI is central to its mission and could not accept conditions that risked its work or funds. The foundation urged people to join, donate, or sponsor to help cover needs.

🔐 Google will make Chrome use HTTPS by default for all public sites starting October 2026 (Chrome 154). If a site uses HTTP, Chrome will warn users and ask permission before proceeding. Most sites already use HTTPS, so warnings should be rare and Google expects more sites to switch.

🧩 Mozilla now requires new Firefox extensions to declare personal data collection and transmission in their manifest using the data_collection_permissions key. This info will show during installation, on addons.mozilla.org, and in about:addons. All extensions must adopt the key next year or they cannot be signed.

🐛 🤖 Researchers found OpenAI Atlas’s omnibox can be tricked by disguising prompts as URLs. When Atlas misclassifies these malformed URLs it may run embedded instructions with fewer checks, enabling silent jailbreaks. Attackers could use this to phish credentials or perform destructive actions like deleting files.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

🚗 🩹 Tata Motors confirms it fixed security flaws — Security researcher Eaton Zveare found security flaws in Tata Motors’ E-Dukaan portal that exposed private AWS keys and large amounts of company and customer data. Tata Motors says the issues were fully fixed in 2023 but did not confirm if affected customers were notified. The exposed data included invoices, personal identifiers, backups, fleet-tracking files, and admin access to internal dashboards.

💥 Attackers are actively exploiting critical flaws in Dassault DELMIA Apriso and XWiki that allow remote code execution and privilege escalation. Exploits are used in a two-stage chain that installs a cryptocurrency miner and removes competing miners. Users should apply vendor updates immediately to protect systems.

🗒️ MITRE released ATT&CK version 18 with major updates across detections, Enterprise, Mobile, CTI, and ICS. New detection objects (Detection Strategies and Analytics) and additions for cloud, CI/CD, Kubernetes, ransomware prep, and linked-device abuse were included. MITRE also added new ICS assets and created the ATT&CK Advisory Council for stakeholder input.

🖥️ Researchers created TEE.Fail, a physical side‑channel attack that reads encrypted DDR5 memory to steal secrets from CPU Trusted Execution Environments like Intel SGX/TDX and AMD SEV‑SNP. By using a cheap interposer and logic analyzer, they recover deterministic ciphertext mappings to extract signing and encryption keys and forge attestations. The attack requires physical access and kernel privileges, but shows current DDR5 TEE designs lack needed protections and vendors are working on mitigations.

🇮🇳 Security researcher Eaton Zveare found security flaws in Tata Motors’ E-Dukaan portal that exposed private AWS keys and large amounts of internal and customer data. The exposed files included invoices, customer PANs, database backups, fleet-tracking data, and admin access to analytics. Tata Motors says the flaws were fixed in 2023 but did not confirm whether affected customers were notified.

🐛 💥 A critical unauthenticated RCE in Microsoft WSUS (CVE-2025-59287) was actively exploited in the wild shortly after an emergency patch on Oct 23, 2025. The flaw lets remote attackers run system-level code via unsafe deserialization on servers with the WSUS role enabled. Organizations should apply Microsoft’s emergency patch or use interim mitigations (disable WSUS or block ports 8530/8531) immediately.

🎣 ⚰️ A phishing group called CryptoChameleon is sending fake LastPass "inheritance" emails claiming a death certificate was uploaded to gain vault access. The emails link to fake sites and passkey-focused pages that steal master passwords and passkeys, and attackers sometimes call victims posing as LastPass staff. This campaign builds on past attacks and targets synced passkeys in modern password managers.

🛰️ ICS, OT & IoT

🇯🇵 Japan’s Ministry of Economy, Trade and Industry released a 130-page OT security guide for semiconductor factories, with a 23-page summary. The guidance uses Japan’s CPSF and international frameworks like NIST CSF 2.0 and offers reference architectures and risk descriptions. It recommends practical measures such as asset management, vulnerability assessment, monitoring, incident response, and physical access controls.

🇨🇦 Canada's cyber agency warned hacktivists repeatedly breached internet-exposed industrial control systems — Intruders altered settings at water, oil, and farm facilities, causing disruptions and safety risks. Authorities urge removing direct internet access, using strong authentication, updating firmware, and reporting incidents.

🔓️ Cybercriminals linked to the Cl0p group have named Schneider Electric and Emerson as victims of a recent Oracle E-Business Suite hack. Leaked files totaling terabytes reportedly came from Oracle environments and appear tied to the campaign. Both firms have not commented, while other victims like Harvard and Envoy Air have confirmed impacts.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.